Security on a Budget                                       Michael McKay, CISSP, CISA                                     ...
Overview    • Target audience    • Are you at risk?    • How to begin    • Get some quick wins    • Your roadmap: the 20 C...
Poll Question    How many live IPs do you have on your    network?                          1- 10                        ...
Target Audience—does this sound like you?    •       Small to medium-sized business, schools and government    •       Up ...
Poll Question    In your opinion, does your company understand the risk of    cyber attack?                          Yes ...
Are you at risk?    •       Perception: According to a recent survey            conducted by Visa and the National Cyber S...
Small and Mid-size Business is the “sweet spot”    • % of SMBs lacking basic defenses against cybercrime:                 ...
More Statistics (and you don’t want to be one)    •       79% of victims were targets of opportunity    •       96% of att...
Poll Question    Does your company need to be PCI Compliant?       Yes       No9   © nCircle 2012 All rights reserved.  ...
Are you at risk?     •     Cyberthieves funneled $217K from a convention center in Omaha            – Phishy e-mail instal...
Are you at risk?     •       $497K stolen from school district in upstate New York              – Initial attempt was for ...
How to begin protecting yourself     •       Believe in the risk—it’s very real     •       Convince management of the urg...
Survey says: The Top Network Vulnerability is …                Blank or default passwords                nCircle PureCloud...
Some quick wins      Change your passwords, now, on everything! Make them strong. Never share       them, especially priv...
What are these 20 Critical Controls?     •       A prioritized baseline of information security measures and controls     ...
20 Critical Controls Guiding Principles      Defenses should focus on addressing the most common and damaging       attac...
Computer Attacker Activities and Associated Defenses17   © nCircle 2012 All rights reserved.   nCircle Company Confidential
18   © nCircle 2012 All rights reserved.   nCircle Company Confidential
1. Inventory of Authorized and Unauthorized Devices               Attackers continuously search for new, unpatched systems...
2. Inventory of Authorized and Unauthorized Software                Unauthorized software is a common source of malware. A...
3. Secure Configurations for H/W and S/W on     servers and workstations                Building and maintaining your syst...
10. Continuous Vulnerability Assessment and     Remediation                New vulnerabilities are discovered every day. Y...
Control Zero—the most essential one     • Executive Management Support and Commitment to       Security     • You can’t su...
Your Action Plan                – Engage senior management (CIO, CEO, CFO)                – Compare your current state to ...
Poll Question     Which security resources and news sites do you visit     regularly? (select all that apply if this is po...
Make some friends and know what’s happening     •       ISSA – Attend local meetings to learn and network (www.issa.org)  ...
nCircle Solutions for the 20 Critical Controls27   © nCircle 2012 All rights reserved.   nCircle Company Confidential
Questions?28   © nCircle 2012 All rights reserved.   nCircle Company Confidential
29   © nCircle 2012 All rights reserved.   nCircle Company Confidential
Upcoming SlideShare
Loading in...5
×

Security on a budget

444

Published on

nCircle held a Webinar on 6/7 with Mike McKay Senior Sales Engineer at nCircle - The theme was to give smaller organizations the power to have a big organization security program.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
444
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security on a budget

  1. 1. Security on a Budget Michael McKay, CISSP, CISA Senior Security Engineer© nCircle 2012. All rights reserved.
  2. 2. Overview • Target audience • Are you at risk? • How to begin • Get some quick wins • Your roadmap: the 20 Critical Controls • Developing your action plan2 © nCircle 2012 All rights reserved. nCircle Company Confidential
  3. 3. Poll Question How many live IPs do you have on your network?  1- 10  11 - 50  51 – 100  More than 1003 © nCircle 2012 All rights reserved. nCircle Company Confidential
  4. 4. Target Audience—does this sound like you? • Small to medium-sized business, schools and government • Up to 500 employees • IT wears many hats • Often don’t have a dedicated Information Security department or person • Primary security tools are firewalls and antivirus • Limited budget for security • Management often doesn’t see security as a necessary investment (why would they go after us?)4 © nCircle 2012 All rights reserved. nCircle Company Confidential
  5. 5. Poll Question In your opinion, does your company understand the risk of cyber attack?  Yes  No5 © nCircle 2012 All rights reserved. nCircle Company Confidential
  6. 6. Are you at risk? • Perception: According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85% of small business owners believe their companies are less of a target for cybercrime than large companies. • Reality: Hackers and computer criminals are aiming directly at small and midsize businesses. Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts.6 © nCircle 2012 All rights reserved. nCircle Company Confidential
  7. 7. Small and Mid-size Business is the “sweet spot” • % of SMBs lacking basic defenses against cybercrime: Web filtering 52% Threat training 39% Anti-spam 29% Anti-spyware 22% Firewall 16% Source: Panda Security online survey of 1,400 small and midsize U.S. business7 © nCircle 2012 All rights reserved. nCircle Company Confidential
  8. 8. More Statistics (and you don’t want to be one) • 79% of victims were targets of opportunity • 96% of attacks were not highly difficult • 94% of all data compromised involved servers • 85% of breaches took weeks or more to discover • 92% of incidents were discovered by a third party • 97% of breaches were avoidable through simple or intermediate controls • 96% of victims subject to PCI DSS had not achieved compliance8 © nCircle 2012 All rights reserved. nCircle Company Confidential
  9. 9. Poll Question Does your company need to be PCI Compliant?  Yes  No9 © nCircle 2012 All rights reserved. nCircle Company Confidential
  10. 10. Are you at risk? • Cyberthieves funneled $217K from a convention center in Omaha – Phishy e-mail installed malware that provided access to payroll system and phony employees were added to the payroll – ―Mules‖ collected payroll and remitted the funds to the hackers – Prior to the heist, the center refused many of the security options offered by its bank including a requirement that two employees sign off on every transfer. – ―We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,‖ ―We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.‖10 © nCircle 2012 All rights reserved. nCircle Company Confidential
  11. 11. Are you at risk? • $497K stolen from school district in upstate New York – Initial attempt was for $3.8M, but was stopped by the bank – Thieves used malware to gain access to online bank accounts – Loss represents more than 3% of their annual budget of $15M • Cybercrime cost magazine store in Chicago $22,000 – Malware on their POS systems sent customer credit card numbers to Russia where they were used fraudulently. – The source of the leak was traced to the store. – The store had to pay $22K for the forensic investigation required by MasterCard. – The malware was present for over a year before it was discovered.11 © nCircle 2012 All rights reserved. nCircle Company Confidential
  12. 12. How to begin protecting yourself • Believe in the risk—it’s very real • Convince management of the urgency • Start with some quick wins—really easy! • Great resources: SANS, CIS, NIST, vendors • Consensus Audit Guidelines (The 20 Critical Controls) • PCI Data Security Standard (Essential if you accept credit cards) • It’s a journey, find companions to help you12 © nCircle 2012 All rights reserved. nCircle Company Confidential
  13. 13. Survey says: The Top Network Vulnerability is … Blank or default passwords nCircle PureCloud benchmark statistics in April showed that eight of the top 10 highest risk vulnerabilities detected on small business networks are related to blank or default passwords. A good password security policy combined with regular vulnerability scans dramatically reduces your risk.13 © nCircle 2012 All rights reserved. nCircle Company Confidential
  14. 14. Some quick wins  Change your passwords, now, on everything! Make them strong. Never share them, especially privileged ones. (free)  Control remote access services with firewall (free or $)  Use OpenDNS (free or $) to block access to known bad sites  Create your Security Policy: SANS (free), InstantSecurityPolicy.com ($)  Educate users, managers: SANS Securing the Human ($)  Get your roadmap: SANS 20 Critical Controls (free)14 © nCircle 2012 All rights reserved. nCircle Company Confidential
  15. 15. What are these 20 Critical Controls? • A prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms • Developed by a collaboration of leading security experts and CISOs inside and outside of the government with extensive experience in incident response, penetration testing, and computer forensics • Designed with specific attack scenarios in mind, each Control begins with "How do attackers exploit the lack of this control?“15 © nCircle 2012 All rights reserved. nCircle Company Confidential
  16. 16. 20 Critical Controls Guiding Principles  Defenses should focus on addressing the most common and damaging attacks occurring today and those anticipated in the near future.  Defenses should be automated where possible.  The Controls should provide specific prioritized guidance for how to minimize the risks.16 © nCircle 2012 All rights reserved. nCircle Company Confidential
  17. 17. Computer Attacker Activities and Associated Defenses17 © nCircle 2012 All rights reserved. nCircle Company Confidential
  18. 18. 18 © nCircle 2012 All rights reserved. nCircle Company Confidential
  19. 19. 1. Inventory of Authorized and Unauthorized Devices Attackers continuously search for new, unpatched systems that can be automatically exploited. You need to know what’s on your network so you can manage what should be there and detect unauthorized devices. • Spiceworks (free) • nmap (free) • Nessus (free or $) • nCircle PureCloud ($) • nCircle IP360 ($) • nCircle CCM ($) – Standardize naming conventions (free) – Maintain an asset inventory with network address, machine name, purpose, asset owner, department (free)19 © nCircle 2012 All rights reserved. nCircle Company Confidential
  20. 20. 2. Inventory of Authorized and Unauthorized Software Unauthorized software is a common source of malware. Authorized software needs to be updated regularly to remediate known vulnerabilities. – Spiceworks (free) – Kaspersky Antivirus ($) – nCircle PureCloud ($) – nCircle IP360 ($) – nCircle CCM ($) – Secunia PSI (free) and CSI ($)20 © nCircle 2012 All rights reserved. nCircle Company Confidential
  21. 21. 3. Secure Configurations for H/W and S/W on servers and workstations Building and maintaining your systems to highly-secure ―best practice‖ standards greatly reduces the attack surface and makes it more difficult for exploits to spread to other systems. Standard system configurations are also easier and cheaper to maintain. – CIS Benchmarks (free) – Microsoft MBSA (free) – Microsoft security policy templates (free) – nCircle Configuration Compliance Manager ($) – Secunia PSI (free) and CSI ($) – NIST 800-53 (free) – Vendor security hardening guidelines (free)21 © nCircle 2012 All rights reserved. nCircle Company Confidential
  22. 22. 10. Continuous Vulnerability Assessment and Remediation New vulnerabilities are discovered every day. You need to continually monitor your network for these vulnerabilities and patch them as quickly as possible. Automated vulnerability scanning tools like nCircle PureCloud can collect a hardware and software inventory in the process, addressing Controls 1 and 2 at the same time. – Microsoft WSUS (free) – Secunia PSI (free), CSI ($) – nCircle PureCloud ($) – nCircle IP360 ($) – Nessus (free or $)22 © nCircle 2012 All rights reserved. nCircle Company Confidential
  23. 23. Control Zero—the most essential one • Executive Management Support and Commitment to Security • You can’t succeed without this!23 © nCircle 2012 All rights reserved. nCircle Company Confidential
  24. 24. Your Action Plan – Engage senior management (CIO, CEO, CFO) – Compare your current state to the recommendations of the Critical Controls – Create your security policy – Educate your users about the security policy and the dangers they need to be aware of – Implement some ―quick win‖ Critical Controls within 60 days – Identify additional Controls to be implemented in the next 60 days – Insure that the Controls are integrated into your routine IT processes – Keep improving!24 © nCircle 2012 All rights reserved. nCircle Company Confidential
  25. 25. Poll Question Which security resources and news sites do you visit regularly? (select all that apply if this is possible)  ISSA – Attend local meetings  InfraGuard – Talk to the FBI about security  SANS NewsBites  Dark Reading  Krebs on Security  Securosis  None of the above25 © nCircle 2012 All rights reserved. nCircle Company Confidential
  26. 26. Make some friends and know what’s happening • ISSA – Attend local meetings to learn and network (www.issa.org) • InfraGuard – Meet and talk to the FBI about security (www.infraguard.net) • SANS – Everything security, including the Critical Controls (www.sans.org) – SANS NewsBites – just what it says (sans.org/newsletters/newsbites/) • Dark Reading– security news and research (www.darkreading.com) • Krebs on Security – cyber crime news (krebsonsecurity.com) • Securosis – security research and advisories (securosis.com) • NIST Special Publications (csrc.nist.gov/publications/PubsSPs.html) • PCI Data Security Standard (pcisecuritystandards.org/security_standards/)26 © nCircle 2012 All rights reserved. nCircle Company Confidential
  27. 27. nCircle Solutions for the 20 Critical Controls27 © nCircle 2012 All rights reserved. nCircle Company Confidential
  28. 28. Questions?28 © nCircle 2012 All rights reserved. nCircle Company Confidential
  29. 29. 29 © nCircle 2012 All rights reserved. nCircle Company Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×