Information Security: A mindset, not a product
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Information Security: A mindset, not a product

on

  • 1,284 views

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

Statistics

Views

Total Views
1,284
Views on SlideShare
1,282
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Information Security: A mindset, not a product Presentation Transcript

  • 1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 2. SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 3. This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 4. In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 5. Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 6. Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 7. Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 8. Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 9. Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 10. Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 11. AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 12. Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 13. Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 14. Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 15. What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 16. What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 17. What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 18. What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 19. Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 20. Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 21. Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 22. Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 23. Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 24. Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 25. Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 26. Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 27. Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 28. Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved