Your SlideShare is downloading. ×
  • Like
Information Security: A mindset, not a product
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Information Security: A mindset, not a product

  • 813 views
Published

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
813
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 2. SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 3. This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 4. In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 5. Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 6. Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 7. Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 8. Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 9. Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 10. Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 11. AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 12. Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 13. Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 14. Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 15. What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 16. What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 17. What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 18. What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 19. Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 20. Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 21. Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 22. Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 23. Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 24. Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 25. Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 26. Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 27. Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 28. Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved