SAGECare®
                                                         Security Practice
      Customer Appreciation Days




...
SAGECare®
 Introductions                                        Security Practice


     • SAGE Computer Associates, Inc
 ...
This morning...
     • In the news...
     • What is Information Security
     • AAA – Authentication, Authorization,
    ...
In the news…




www.SAGEcomputer.com   Making Business Smarter   ©Copyright 2009, SAGE Computer Associates, Inc. All righ...
Information Security




                           NOT about computers
                       It’s about the information…...
Information Security Goal: IAC triad




                                   Availability




                       Integr...
Integrity
     • Information is valid and usable
     • Confidence in the information
              – Garbage in, garbage ...
Availability
     • Information is there when needed
     • Redundant systems
              – RAID
              – Power
 ...
Availability
     • Data backup, backup… oh, and backup
       again
              – Backup testing
              – Offsit...
Confidentiality
     • Only those authorized have access to
       information
     • File permissions and rights
        ...
AAA – Who, What, Where of IAC
     • Authentication: who are you?
              – Username/password
              – 2 fact...
Threat Identification: External
     • Breach (Confidentiality, Integrity, Availability)
              – Possible external...
Threat Identification: External
     • DoS - Denial of Service - (Availability)
              – Service is not available f...
Threat Identification: Internal
     • Internal threats
              – Accidental or deliberate from authorized and
     ...
What can we do – as an organization
     • Security Mindset
              – To catch a thief, think like a thief
     • Kn...
What can we do - as an organization
     • Follow best practices
              – Updates - Operating systems, firmware, so...
What can we do - as users
     • Anti-malware software
              – Run current versions of reputable anti-malware soft...
What can we do - as users
     • Follow safe browsing and communications practices
       (internet, email, IM, social sit...
Formal Policies
     • Formal written policies should be guidelines for
       behavior and actions
              – Should...
Formal Policies
 • Should we delete old emails? Should we reply
   to spam?

 • What can we send over email, IM and post o...
Formal Policies
     • Should we run free software from spam and
       pop-ups? Open attachments?

     • Can we listen t...
Formal Policies
 • Is our data safe? What if something happens
   to the building?

 • Do we really need passwords? Can we...
Formal Policies
     • Consistently enforced policies protect both
       user and organization when facing…
             ...
Typical Policies
     • Computer, network and internet acceptable
       usage
     • Email and communications usage and
 ...
Recent Cases: Billing Website
     • Online payment system compromised
     • Healthcare funding organization accepting do...
Recent Cases: SQL Injection
  • Database compromise
  • Not-for-profit community service scheduling events on website
  • ...
Recent Cases: Admin Replacement
     • IT administrator no longer trusted
     • Multiple clients ranging from association...
Customer Appreciation Days




                           Questions?


                       Secure@SAGEComputer.com



w...
Upcoming SlideShare
Loading in …5
×

Information Security: A mindset, not a product

1,020 views

Published on

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,020
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security: A mindset, not a product

  1. 1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  2. 2. SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  3. 3. This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  4. 4. In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  5. 5. Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  6. 6. Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  7. 7. Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  8. 8. Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  9. 9. Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  10. 10. Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  11. 11. AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  12. 12. Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  13. 13. Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  14. 14. Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  15. 15. What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  16. 16. What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  17. 17. What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  18. 18. What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  19. 19. Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  20. 20. Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  21. 21. Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  22. 22. Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  23. 23. Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  24. 24. Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  25. 25. Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  26. 26. Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  27. 27. Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  28. 28. Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved

×