Information security for business majors
Upcoming SlideShare
Loading in...5

Information security for business majors






Total Views
Views on SlideShare
Embed Views



39 Embeds 2,284 1770 68 43 40 38 37 34 28 25 24 20 16 14 14 10 10 10 8 8 8 7 6 5 4 4 4 3 3 3 3 3 3 2 2 2 2 1 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Gauge your response to the previous slide.If you were scared, consider whether or not you would panic in the face of a catastrophic security event. If you were skeptical, consider whether or not you would take a threat serious enough to be prepared.
  • The average time for an unpatched Windows server on the Internet to be compromised is 3-6 hours.The overwhelming majority of data breaches are caused by human error.If you have any one of these things, hackers can monetize them. Computers of any kind can be rented out to send spam or launch DDoS attacks. Personal data, referred to as “dumps” are stolen and sold by the thousand on the Internet Money in bank accounts is transferred by EFT and then wire transfer out of the country where it is laundered. Credit card numbers are used to purchase stolen goods which are shipped overseas.Despite all of this, consumer-based ecommerce continues to grow 15-20% annually.If you sell to consumers, the Internet isn’t where you want to be, it’s where you HAVE to be.
  • Information security can be summed up as “loss avoidance”The value proposition is that these efforts are less expensive than the consequences of not having them.Regulation makes some parts of security the price of admission, the rest is about striking a balance between security and flexibility.Bruce Schneier’s book, Beyond Fear.
  • Known as the CIA Triad, these are the “ilities” that security controls impact directly.There are other “ilities” Flexibility Scalability Portability ProfitabilityBut even at its best, security is only an enabler of these things. At either extreme, security blocks them.
  • Preventive IT controls are not infallible, and covering 100% of corner cases with your controls costs too much and hamstrings your actual business.Auditing controls are time-consuming, and usually any damage is already done by the time an audit discovers it.Monitoring controls are typically based on sampling, which means you might miss something. More intended as a quality or health check.
  • I like the Richard Clarke quote from your book. “If you spend as much on information security as you spend on coffee, you will be hacked, and you’ll deserve to be hacked.”Of course, Mr. Clarke is wrong, because having a security incident is not an issue of if, but an issue of..?Wrong. Not “when” but “how often.”
  • Consulting on projects or with operations teams leads to better security outcomes because security is considered earlier in the process.Raising awareness and then inviting people to share concerns is a great way to organically scale your visibility to issues. By being proactive and meeting colleagues where they are, you gain goodwill for your security efforts. This is a key piece of a successful security program. Strong-arm tactics are a guaranteed path to failure. Without goodwill and trust, the security practice in your company quickly becomes an obstacle for people to bypass in order to get their jobs done. This is how you lose your job.
  • Picture of some funny security FAIL
  • Picture of some funny security FAIL
  • Picture of some funny security FAIL
  • Buying and integrating security technology only works some of the time, and that time is not right now.Information security is an arms race.Technology is both the weaponry and the battlefield.Security is not a problem that can be solved. Security is a practice that must be maintained with people and process.

Information security for business majors Information security for business majors Presentation Transcript

  • Management of Technology BUS 656
    Information Security for Business
    Paul Melson
    Manager , Information Security
    September 29, 2010
  • OK, so how bad is it really?
    Since 2005, 510,544,441 personal records were exposed in 1,735 breaches.
    Every computer on the Internet is attacked an average of 4 times a day.
    In Q2 2010, Symantec wrote 457,641 new anti-virus signatures.
    Internet-based fraud set a new record in 2009, $560 million in losses to US companies.
  • Are you scared?
    …or skeptical?
  • The sky is always falling!
    Every network is under constant attack.
    The people that work for you make mistakes.
    If you have computers, data, or money your business is worth exploiting for hackers.
    The world continues to turn.
    The goal of security is to enable your business to survive the hostile environments in which we work and communicate.
  • Information Security’s Business Value
    Compliance with laws and standards
    Avoid fines and penalties
    Support the image of your business as trustworthy
    Fraud prevention and response
    Avoid financial losses
    Minimize loss, improve recovery
    Data breach prevention and response
    Avoid financial losses and damaged image
    Minimize impact and duration of the breach
  • How Information Security Works
  • The Goals of Security
  • Policy
    Policies are just rules and principles.
    Policies are useless if nobody reads them.
    A good security policy ties the desired outcomes (i.e. “mitigate risk,” “ensure compliance”) to high-level tactics (i.e. “password rotation,” “hard drive encryption”).
  • Controls
  • Tools of The Trade - Preventive
    Firewall – Network filtering and monitoring device. Used to protect trusted systems from untrusted systems.
    Antivirus – Software that runs on a computer and scans files as they are saved or opened for patterns (“signatures”). Known “bad” files are deleted.
    IPS – Network “sniffing” device that sits on the network. Works like antivirus, but for network packets instead of files. Known “bad” traffic is dropped before it reaches sensitive systems.
  • Tools of The Trade - Auditing
    Vulnerability Scanning – Software that scans addresses and ports on a network looking for known vulnerabilities and reports on them. Used to find weak spots before attackers do.
    Penetration Testing – Hiring specially skilled consultants to try and hack and “social engineer” their way into your systems from the outside to replicate a hacker attack.
  • Tools of The Trade - Monitoring
    SIEM – Software that collects log data from multiple sources (firewall, IPS, servers, etc.) and correlates them looking for suspicious behavior or policy violations. Also used to investigate security incidents.
  • Risk Management
    Risk management is what you do once you realize that you can’t do it all right now.
    Identify, Assess, Prioritize, Act
    Risk = Impact x Likelihood
    On prioritization:
    Risk scoring mechanisms are only good at describing things relative to each other in the same environment, and they get better over time.
  • Risk Management
    What can we do with risk?
  • Incident Response
    You will have a very bad day.
    More than once
    Prepare, Identify, Contain, Recover, Learn
    Today, this is your best and only hope.
  • 16
  • Awareness & Consultation
    This is your chance to get ahead of the curve!
    Raising awareness gets you in the loop.
    Executive Reporting
    Top Security Risks
    Risk Mitigation Plans
    “Big Deal” Events
    Relevant Trends in Metrics
  • How IT Security Fails
  • You say “potato,” I say “No.”
    Security and compliance tactics are naturally risk-averse
    All successful businesses take calculated risks
    Clear direction from leadership on risk is key
  • Communication
    Information Security has its own cryptic language.
    …and so do you.
    Mission statements and corporate values can become a Rosetta Stone
    Al$o, there’$ a $econduniver$al language
  • Why Buying Security Fails
    In 1990, if you had a firewall with a default deny policy and were enforcing strong passwords, you were secure. By 1996, it didn’t matter anymore.
    In 2002, if you had a regimented security patch cycle for your servers and were scanning your network for known vulnerabilities, you were secure. By 2007, it didn’t matter anymore.
    In 2010, the pendulum hasn’t swung back yet.
  • Discussion