IT & Internet Security Overview Superior Oil January 17, 2008 Mike Panno GuardEra Access Solutions, Inc. 200 W. 22 nd Street, Suite 220 Lombard, IL 60148 847.348.0600

GuardEra Access Solutions, Inc Mike Panno, President & CEO

Discussion Agenda Why information security? What is information security? Top 10 “Must do’s” for small-mid sized businesses Q&A

Why information security?

What is information security?

Top 10 “Must do’s” for small-mid sized businesses

Q&A

Overview Hackers and thieves are increasingly targeting small businesses According to a 2005 FBI Study – 90% of businesses and organizations had at least one security incident within the past 12 months Symantec Internet Threat Report – over 80% of data breaches could be prevented

Hackers and thieves are increasingly targeting small businesses

According to a 2005 FBI Study – 90% of businesses and organizations had at least one security incident within the past 12 months

Symantec Internet Threat Report – over 80% of data breaches could be prevented

Overview Cont’d On average small businesses lost over $200,000 per incident Consumers are starting to take note of businesses cyber security record 20% of consumers would not return to a business that had a security breach 85% of consumers would shop more at a business known for good cyber security practices

On average small businesses lost over $200,000 per incident

Consumers are starting to take note of businesses cyber security record

20% of consumers would not return to a business that had a security breach

85% of consumers would shop more at a business known for good cyber security practices

Overview Cont’d Small Businesses can no longer afford not to make “cyber security a priority” There are simple practical steps a small business can take to protect themselves and their customers Good start is by following NCSA’s Top 7 Small Business Cyber Security Tips Conduct a risk assessment and develop a cyber security plan

Small Businesses can no longer afford not to make “cyber security a priority”

There are simple practical steps a small business can take to protect themselves and their customers

Good start is by following NCSA’s Top 7 Small Business Cyber Security Tips

Conduct a risk assessment and develop a cyber security plan

Spectrum of Cyber Threats Unstructured Structured Sophistication Hacktivists Insiders Information warriors Intelligence agencies Terrorists Industrial espionage Organized crime Institutional hackers Recreational hackers

Hacktivists

Insiders

Information warriors

Intelligence agencies

Terrorists

Industrial espionage

Organized crime

Institutional hackers

Recreational hackers

The Risk Equation Risk = Threat x Vulnerability x Consequences Threat: Malicious intentions or capabilities Vulnerability: Weaknesses in technology, processes, or procedures Consequences:

Risk = Threat x Vulnerability x Consequences

Threat: Malicious intentions or capabilities

Vulnerability: Weaknesses in technology, processes, or procedures

Consequences:

Information System Vulnerabilities Definition: Conditions that may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an information system Examples: Executing commands as another user Accessing data in excess of specified or expected permission Posing as another user or service within a system Causing an abnormal denial of service Inadvertently or intentionally destroying data without permission Exploiting an encryption implementation weakness that significantly reduces the time or computation required to recover the plaintext from an encrypted message Common causes: Design flaws in software and hardware Botched administrative processes Lack of awareness and education in information security Advancements in the state of the art or improvements to current practices

Definition: Conditions that may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an information system

Examples:

Executing commands as another user

Accessing data in excess of specified or expected permission

Posing as another user or service within a system

Causing an abnormal denial of service

Inadvertently or intentionally destroying data without permission

Exploiting an encryption implementation weakness that significantly reduces the time or computation required to recover the plaintext from an encrypted message

Common causes:

Design flaws in software and hardware

Botched administrative processes

Lack of awareness and education in information security

Advancements in the state of the art or improvements to current practices

Potential Consequences Embarrassment Repair costs Misinformation or worse Loss of (eCommerce) business Legal trouble Federal Trade Commission/BJ’s Wholesale Club Case Page

Embarrassment

Repair costs

Misinformation or worse

Loss of (eCommerce) business

Legal trouble

Federal Trade Commission/BJ’s Wholesale Club Case

Three Common Attacks Today Theft of data and resources Denial-of-service attacks Malicious codes and viruses Page

Theft of data and resources

Denial-of-service attacks

Malicious codes and viruses

Theft of Data and Resources Stealing your computer files Accessing your computer accounts Stealing your laptops and computers Intercepting your e-mail Page

Stealing your computer files

Accessing your computer accounts

Stealing your laptops and computers

Intercepting your e-mail

Information Security is a Process (2) Define Security Strategies (1) Identify Enterprise Security Risks & Priorities (3) Design, Test & Implement (4) Monitor Anticipate & Respond (5) Manage & Improve Start with an assessment of risks, then define security strategies to address highest priority items, implement solutions, monitor, improve upon.

Defense In Depth: Security Best Practices Secure your network Secure your endpoints and devices Mitigate and control threats

Secure your network

Secure your endpoints and devices

Mitigate and control threats

Secure Your Network Analogy: Gated community Challenges: Unauthorized access: Can lead to loss of company data, unplanned downtime, and related liability concerns Peer-to-peer file sharing and instant messaging: Distracts employees and reduces productivity Viruses: Can infect systems, bringing them down and resulting in outages and lost revenue Spam and phishing: Creates a nuisance and contributes to loss of employee productivity Browsing of non-work-related Websites: Leads to loss of employee productivity and possible company liability issues Infected VPN traffic: Creates a vector for threats to enter the network and disrupt the business Solutions: Secure gateway Secure access (remote via VPN; on-site via authentication) Employee awareness and training

Analogy: Gated community

Challenges:

Unauthorized access: Can lead to loss of company data, unplanned downtime, and related liability concerns

Peer-to-peer file sharing and instant messaging: Distracts employees and reduces productivity

Viruses: Can infect systems, bringing them down and resulting in outages and lost revenue

Spam and phishing: Creates a nuisance and contributes to loss of employee productivity

Browsing of non-work-related Websites: Leads to loss of employee productivity and possible company liability issues

Infected VPN traffic: Creates a vector for threats to enter the network and disrupt the business

Solutions:

Secure gateway

Secure access (remote via VPN; on-site via authentication)

Employee awareness and training

Secure Your Endpoints and Devices Analogy: Individual houses in the community Challenges: PCs: Out-of-date software leaves vulnerabilities open Laptops: Non-corporate web access provides multiple threat vectors; unencrypted laptop theft risks loss of proprietary information Cell phones, PDAs, smart phones: Same risks as laptops, except smaller devices easier to misplace Wireless access: Public hotspots, conventions, hotels, airports wide open venues for attackers Solutions: Update software regularly or automatically Encrypt endpoints Employ secure integrated services routers and behavior-based agents Employee awareness and training

Analogy: Individual houses in the community

Challenges:

PCs: Out-of-date software leaves vulnerabilities open

Laptops: Non-corporate web access provides multiple threat vectors; unencrypted laptop theft risks loss of proprietary information

Cell phones, PDAs, smart phones: Same risks as laptops, except smaller devices easier to misplace

Wireless access: Public hotspots, conventions, hotels, airports wide open venues for attackers

Solutions:

Update software regularly or automatically

Encrypt endpoints

Employ secure integrated services routers and behavior-based agents

Employee awareness and training

Mitigate and Control Threats Analogy: Security patrols in the community Challenges: Unconnected “seams” between network and hosts could impede “connecting the dots” of an attack IT support staff often not trained in incident response Information sharing barriers slow incident awareness Solutions: Deploy network flow technology to gain end-to-end view of the network Develop and train incident response team Join your sector’s Information Sharing and Analysis Center Take advantage of US Computer Emergency Readiness Team (US-CERT) and Homeland Security Information Network (HSIN) alert networks

Analogy: Security patrols in the community

Challenges:

Unconnected “seams” between network and hosts could impede “connecting the dots” of an attack

IT support staff often not trained in incident response

Information sharing barriers slow incident awareness

Solutions:

Deploy network flow technology to gain end-to-end view of the network

Develop and train incident response team

Join your sector’s Information Sharing and Analysis Center

Take advantage of US Computer Emergency Readiness Team (US-CERT) and Homeland Security Information Network (HSIN) alert networks

GuardEra’s Services Portfolio Security Infrastructure Compliance Assessment And Remediation Managed IT Services Network Infrastructure

Top 10 SMB Security Must-do’s: Model the threats to your business, and perform a security risk assessment Develop an information security policy, and educate your users Design a secure network, implement packet filtering in the router, implement a firewall, and use a DMZ network for servers requiring Internet access. Use anti-virus software, both at the gateway, and on each desktop Use only Operating Systems that have adequate security baseline capabilities Know your network, harden systems by removing unnecessary applications, and maintain an aggressive program of patching operating systems and applications Use personal firewalls, particularly on laptops used by mobile users Use strong authentication Develop a computer incident response plan Get started!

Model the threats to your business, and perform a security risk assessment

Develop an information security policy, and educate your users

Design a secure network, implement packet filtering in the router, implement a firewall, and use a DMZ network for servers requiring Internet access.

Use anti-virus software, both at the gateway, and on each desktop

Use only Operating Systems that have adequate security baseline capabilities

Know your network, harden systems by removing unnecessary applications, and maintain an aggressive program of patching operating systems and applications

Use personal firewalls, particularly on laptops used by mobile users

Use strong authentication

Develop a computer incident response plan

Get started!

Other Security Resources http:// www.staysafeonline.org /basics/small_ business.html National Cyber Security Alliance business site Additional Resources www.csrc.nist.gov / NIST Computer Security Division www.US-CERT.gov U.S. Computer Emergency Readiness Team www.asbdc-us.org Security Guide for Small Biz iase.disa.mil Information Assurance Support www.isalliance.org Common sense infosec guides irtsectraining.nih.gov / Free online-information security training www.ftc.gov Federal Trade Commission infosec info

http:// www.staysafeonline.org /basics/small_ business.html

National Cyber Security Alliance business site

Additional Resources

www.csrc.nist.gov / NIST Computer Security Division

www.US-CERT.gov U.S. Computer Emergency Readiness Team

www.asbdc-us.org Security Guide for Small Biz

iase.disa.mil Information Assurance Support

www.isalliance.org Common sense infosec guides

irtsectraining.nih.gov / Free online-information security training www.ftc.gov Federal Trade Commission infosec info

Questions? Mike Panno GuardEra Access Solutions, Inc. 200 W. 22nd Street, Suite 220 Lombard, IL 60148 847.348.0600