Your SlideShare is downloading. ×
Ghassan farra   it security a cio perspective
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Ghassan farra it security a cio perspective

343
views

Published on


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
343
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IT Security a CIO Perspective
    The 3rd Kuwait Info Security Conference & Exhibition
    By
    GhassanFarra
    Senior Consultant
    The Advance Technology Group
  • 2. IT Security Architecture
    Business Strategies driving the business
    Management and Operational Policies
    Hardening, HIPS
    Secure encryption, authentication technologies
    Security practices in development, Penetration Tests
    Firewalls, NIPS
    Operational Procedures,
    Audits, Log Analysis, Content Inspection
    Business Continuity, Incident Response
    5/26/2011
    3rd Annual InfoSecurity Conference
    2
  • 3. Pitfalls in Security Fortress
    5/26/2011
    3rd Annual InfoSecurity Conference
    3
    Unforeseen (harmless!) practices and technologies can bring the security fortress down to crumble and expose the entire infrastructure to numerous risks and threats
  • 4. PST Files
    Risks
    - Majority of the enterprise sensitive documents sits today in email messages..
    - Messages are archived to local PST files which often get lost due to employee exit or damaged due to size limitation.
    - PST Files often elude retention Policy
    Mitigation
    - Mail Archiving Solution
    - Central repository for sharing document
    5/26/2011
    3rd Kuwait InfoSecurity Conference
    4
  • 5. 3rd Party Network Access
    Risks
    - Allowing 3rd party network access (3G,4G) opens path way to corporate network
    - Infrastructure is exposed to threats
    - Theft of Critical information
    Mitigation
    - Define and establish policy and procedures
    - End point or Port control Solution
    5/26/2011
    3rd Annual InfoSecurity Conference
    5
  • 6. Wireless Network
    Risks
    - Usage of weak encryption algorithms
    - Lack of Identification & Authentication of Base stations
    - Un-encrypted communication channel
    Mitigation
    - Use latest Wireless Encryption protocols
    - Enable authentication to access wireless services
    - Rogue-Base stations monitoring
    5/26/2011
    3rd Annual InfoSecurity Conference
    6
  • 7. Laptops Theft or Damage
    Risks
    - Laptops Contains Highly critical data
    - Allow easy retrieval of data without any controls implemented (i.e. Full disk encryption)
    Mitigation
    - Management Policies / Guidelines
    - Full disk encryption and backups
    - Awareness on using laptops (in and out of office, public places etc)
    5/26/2011
    3rd Annual InfoSecurity Conference
    7
  • 8. HR Processes
    Risks
    - No notification on employee exit or internal transfers
    - Access privileges to corporate data
    - Access to critical business applications
    Mitigation
    - Define Corporate Policy
    - Establish the process or procedure
    5/26/2011
    3rd Annual InfoSecurity Conference
    8
  • 9. Removable Media
    Risks
    - Computer infection with malicious code or malware (in-turn network); i.eStuxnet
    - Authorized and un-authorized information Stealing
    Mitigation
    - End point or Port control (USB, CD-ROM, Serial, Parallel ,etc) solution
    - Encrypt the external media (USB, DVD/CD for critical information)
    - Policy & Guidelines to support and tune the solution
    5/26/2011
    3rd Annual InfoSecurity Conference
    9
  • 10. Clean Desk
    Risks
    - Access to critical Physical Data
    - Unauthorized Access to user accounts and business applications
    Mitigation
    • Define and establish policy and procedures
    • 11. Security & Information handling Awareness campaign
    • 12. Locking of desktops & Critical applications (automatic & manual)
    5/26/2011
    3rd Annual InfoSecurity Conference
    10
  • 13. Single Sign on
    Risks
    - Compromising one’s account allows Access to multiple Systems
    - All applications are available with user SSO, this leaves pathway to information leak or privacy violation
    Mitigation
    - Enforce strong factor authentication
    • Enforce automatic workstation lock-out
    - Enforce session idle time-out
    5/26/2011
    3rd Annual InfoSecurity Conference
    11
  • 14. IT Asset Management
    5/26/2011
    3rd Annual InfoSecurity Conference
    12
    Risks
    - No structured process to manage assets
    - No policy or procedure to handle end-of-life or disposition assets
    - No data sanitization procedures
    - Critical information is available on the disks
    Mitigation
    - Define and establish Asset Management Process
    - Define and Establish Data sanitization procedures
  • 15. 5/26/2011
    3rd Annual InfoSecurity Conference
    13