1
Enterprises under Attack: Dealing with
security threats and compliance
Sponsored by: SPAN Systems Corporation
Produced a...
2
The Outsourcing Institute
• Located at outsourcing.com – Over 70,000 Executive Members Globally
• Trends, Best Practices...
3
Today’s Speakers
www.spansystems.com 3Copyright: SPAN Systems Corporation
Amit Singh,
Partner
Avasant
Vinay Ambekar,
Sen...
4
Topics
Enterprise Security Stature
Enterprise Security Landscape
Value of Enterprise Security
Dealing with Security Thre...
5
Enterprise Security Stature
Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business...
6
Enterprise Security Landscape
Application Security
Enterprises must address Security Threats in order to conduct the bus...
7
Dealing with Security Threats and Compliances
Security is a not a product, but a process.
Pre-Production
Security Testin...
8
Infrastructure Security
Source: http://hackmageddon.com
Threats + Motives + Tools and Techniques + Vulnerabilities = Att...
9
Infrastructure Security
The Department of Homeland Security released this map showing the locations of 7,200 key industr...
10
Infrastructure Security
• Plan to secure the infrastructure (Network, Servers, Desktops and Mobile)
• Perform Attack Su...
11
Application Security
About 90% of the applications tested by SPAN revealed at least one HIGH RISK vulnerability
(Source...
12
Application Security
• Assess the required Security Level for the application based on the
data sensitivity and threat ...
13
• Establish Compliance Requirements – Regulatory,
Standards and Legal
• Plan for Pre - Audits
• Establish Compliance Me...
14
Enterprise Security
Security Test Methodology Penetration Testing
Information Gathering
Threat Modeling and
Attack Surf...
15
Enterprise Application Security Plan
16
Enterprise Compliance Validation Plan
17
Security Verification Level Selection
The sensitivity of the application is identified based on the sensitivity of the ...
18
Operational View of Security Testing
Security Testing – Operational Overview
Pre Production Security Testing Production...
19
Budgeting for Security
Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, In...
20
Value of Enterprise Security
Protect the brand, attain compliance and avert costly breaches.
Save Money and Business
• ...
21
Summary
Enterprises are under attack due to continuous discovery of vulnerabilities
Enterprises can deal with security ...
22Copyright: SPAN Systems Corporation www.spansystems.com 22
SPAN Systems Corporation
U.S. ‘C’ Corporation 1993 incorporat...
23
Poll Questions
Copyright: SPAN Systems Corporation www.spansystems.com
How important is security testing for you
Critic...
24
Thank you for joining
Enterprises under Attack: Dealing with
security threats and compliance
This webinar was sponsored...
Upcoming SlideShare
Loading in...5
×

Enterprise under attack dealing with security threats and compliance

125

Published on

A Security hole in an application can cause not only major financial loss but also loss of customer confidence, trust and reputation severely impacting the business. This webinar looks at well-established industry practices to identify and secure applications from breaches while adhering with regulatory compliances.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
125
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Webinar Starts at 10:30 PM IST

    OI to enter the local start time

    00:00 hrs
    David and/or Amit to initiate
  • 00:00 hrs + 2 minutes

    Key word for next slide = “Next we talk about the speakers…”
  • 00:00 hrs + 4 minutes

    Key word for next slide = “Next we talk about the Topics for Discussion…”
  • 00:00 hrs + 6 minutes

    Indication for Pramod to take over from David/Amit

    Key word for slide change = “I would now ask Pramod to introduce us to Enterprise Security…”
  • 00:00 hrs + 9 minutes

    Indication for slide change = “Next we will talk about the Security Landscape
  • 00:00 hrs + 14 minutes

    Indication for slide change = “I will now ask LN to take us into the Security Aspects for Enterprises …”

    Time for first polling question
  • 00:00 hrs + 18 minutes

    Indication for slide change = “Now we can look into the Infrastructure Data Breach data…”

  • 00:00 hrs + 21 minutes

    Indication for slide change = “A birds eye view of vulnerability map depicted by Homeland Security …”

  • 00:00 hrs + 22 minutes

    Indication for slide change = “Lets now talk about Infrastructure Security…”

  • 00:00 hrs + 25 minutes

    Indication for slide change = “Lets now talk about Application Security…”


  • 00:00 hrs + 26 minutes

    Indication for slide change = “Coming to Application Security Landscape…”

  • 00:00 hrs + 31 minutes

    Indication for slide change = “Coming to compliances…”

  • 00:00 hrs + 34 minutes

    Indication for slide change = “The components of Enterprise Security…”

  • 00:00 hrs + 39 minutes

    Indication for slide change = “Planning for Security…”

    Seeded Question: At our organization we use a commercial tool to do all the vulnerability scanning, is it not enough to secure the enterprise?
  • 00:00 hrs + 40 minutes

    Indication for slide change = “Compliance Planning…”

  • 00:00 hrs + 41 minutes

    Indication for slide change = “Levels of Security …”

  • 00:00 hrs + 43 minutes

    Indication for slide change = “Operation View of Security …”

  • 00:00 hrs + 44 minutes

    Indication for slide change = “I now request Vinay to talk about The budgets and Value for securing IT assets…”

    Time for second polling question
  • 00:00 hrs + 46 minutes

    Indication for slide change = “Coming to the value of security testing…”

  • 00:00 hrs + 49 minutes

    Indication for slide change = “Pramod will now conclude with a summary of the discussion…”

  • 00:00 hrs + 50 minutes

    Indication for slide change = “We are now onto Q & A…”

    David / Amit to take over. They can talk about the results of the poll responses.

  • Enterprise under attack dealing with security threats and compliance

    1. 1. 1 Enterprises under Attack: Dealing with security threats and compliance Sponsored by: SPAN Systems Corporation Produced and Presented by: The Outsourcing Institute
    2. 2. 2 The Outsourcing Institute • Located at outsourcing.com – Over 70,000 Executive Members Globally • Trends, Best Practices, Case Studies • Training Through OI University • Specialize in Low Cost Alternatives for Outsourcing Buyers Needing Assistance with RFP Development and/or Vendor Selection: – Outsourcing RFP Builder Software – Matchmaker Service • Qualified Demand Generation Programs • Outsourcing Jobs Opportunities and Recruiting Services Through CMS Inc. • Local, Intimate and Interactive Outsourcing Road Show • Sponsorship and New Business Development Opportunities & Programs For more information contact us at: info@outsourcing.com or 516-279-6850 ext. 712
    3. 3. 3 Today’s Speakers www.spansystems.com 3Copyright: SPAN Systems Corporation Amit Singh, Partner Avasant Vinay Ambekar, Senior Vice President, Engineering, Lavante Inc. Pramod Grama, Co-founder and Executive Vice President, SPAN Infotech (India) Pvt. Ltd. Lakshminarasimha Manjunatha Mohan, Solution Architect, SPAN Infotech (India) Pvt. Ltd.
    4. 4. 4 Topics Enterprise Security Stature Enterprise Security Landscape Value of Enterprise Security Dealing with Security Threats and Compliances Application Security Infrastructure Security Compliances Validation Budgeting for Security
    5. 5. 5 Enterprise Security Stature Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK • Human Errors and systems glitches caused nearly two-thirds of data breaches globally in 2012 • Malicious or criminal attacks are the most costly threats at an average of $157 per compromised record Source: 2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec, June 2013 • Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities • By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service Source: Gartner Top Predictions for 2012: Control Slips Away, Gartner, December 2011 Security is an ever moving Target 63% 23% 15% 9% 41% 15% 7% 4% Attacked by an unauthorized outsider Hit by denial-of-service attacks Network penetration by outsiders IP and Confidential Data Theft Security Breach Statistics – Small Organizations 2012 2011 78% 39% 20% 14% 73% 30% 15% 12% Attacked by an unauthorized outsider Hit by denial-of-service attacks Network penetration by outsiders IP and Confidential Data Theft Security Breach Statistics - Large Organizations 2012 2011
    6. 6. 6 Enterprise Security Landscape Application Security Enterprises must address Security Threats in order to conduct the business safely • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities • Unvalidated Redirects and Forwards Firewall Web server Firewall Application Server Database Server • Router • Firewall • Switch Host Security • Patches and Updates • Services • Protocols • Accounts • Files and Directories • Shares • Ports • Registry • Auditing and Logging Network Security Infrastructure Security
    7. 7. 7 Dealing with Security Threats and Compliances Security is a not a product, but a process. Pre-Production Security Testing Application Security Tests Enterprise Security – Approach Post-Production Security Testing Infrastructure Security Tests Periodic Security Audits Compliance Validations Managed Security Monitoring and Operations Establish Enterprise Security Baseline • Applications Security Testing • Infrastructure Security Testing • Compliance Validations Maintain Baseline Security Stature • Security Validation across SDLC • Security Monitoring and Operational Security • Periodic Security Audits and Compliance Validations
    8. 8. 8 Infrastructure Security Source: http://hackmageddon.com Threats + Motives + Tools and Techniques + Vulnerabilities = Attack
    9. 9. 9 Infrastructure Security The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems that appear to be directly linked to the Internet and vulnerable to attack. http://money.cnn.com/2013/01/09/technology/security/infrastructure-cyberattacks/ http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf
    10. 10. 10 Infrastructure Security • Plan to secure the infrastructure (Network, Servers, Desktops and Mobile) • Perform Attack Surface Analysis and design a Secure Architecture • Consider both Internal and External Penetration tests to address internal abuse and external intrusion • Plan for Operational Security through Managed Security Services such as Unified Threat Management Elicitate Security Requirements Threat Modeling and Attack Surface Analysis Vulnerability Assessment Penetration Testing Ethical Hacking Enterprise Network Security z Operations Security & Monitoring Threat Management Incident Management Log Management Security breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation and loss of customers.
    11. 11. 11 Application Security About 90% of the applications tested by SPAN revealed at least one HIGH RISK vulnerability (Source: SPAN Security Testing Metrics) (Source: SPAN Security Testing Metrics) Applications Vulnerability Distribution - OWASP Top 10 Vulnerabilities
    12. 12. 12 Application Security • Assess the required Security Level for the application based on the data sensitivity and threat exposure • Employ vulnerability management and plan to preempt the vulnerabilities from occurring. Left Shift from detection to prevention • Plan for application Security for every release. • Plan for required level of security verification for the release based on the quantum and criticality of the change in code • Ensure that the Security Team has qualified Ethical Hackers, Secure Programmers and Security Architects • Ensure to follow methodologies widely accepted by industry such as OWASP Application Security Verification Standards • Ensure to plan for testing all the components with identified rigor. • There is no tool in the industry that can identify all the vulnerabilities. Leverage on Skilled exploratory testing by ethical hackers along with the power and speed of the tools Need is for more secure software, NOT more Security software Elicitate Security Requirements (Evil Stories) Threat Modeling and Attack Surface Analysis Security Code Review Vulnerability Assessment Penetration Testing Ethical Hacking Requirements Design Development Deployment Post-Deployment Application Security
    13. 13. 13 • Establish Compliance Requirements – Regulatory, Standards and Legal • Plan for Pre - Audits • Establish Compliance Metrics Dashboard and keep track • Perform a Statistical Analysis and Implement Lessons Learned Compliance Validation Example Security Compliance Dashboard Enterprise Security Compliances Physical Security • Access Control & Management Application Security • Secure Design • Secure Development • Vulnerability Management • Periodic Penetration Testing Infrastructure Security Process Security • Secured Data Centers • Threat Management • Events and Log Management • Incident Management • Periodic Penetration Testing • Change Control Management • Policies and Procedures Source: http://www.isaca.org/
    14. 14. 14 Enterprise Security Security Test Methodology Penetration Testing Information Gathering Threat Modeling and Attack Surface Analysis Vulnerability Analysis Exploitation Advancing Exploitation Reporting Application/System Security Network Security Identity and Access Control Physical Security Threat Management Logs and Event Management Incident Management Requirements Gathering Threat ProfilingSecurity Testing Periodic Testing Compliance Validation It is far preferable to do something NOW to avert and minimize harm before disaster strikes
    15. 15. 15 Enterprise Application Security Plan
    16. 16. 16 Enterprise Compliance Validation Plan
    17. 17. 17 Security Verification Level Selection The sensitivity of the application is identified based on the sensitivity of the data processed by the application and the impact on the business by the application. Identify what is BEST for you; all best practices are contextual Category Highly Sensitive Moderately Sensitive Low Sensitive Application exposed over internet for public • Threat Modeling & Attack Surface Analysis • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing Application exposed to legitimate users over Intranet or Dedicated Channels • Threat Modeling & Attack Surface Analysis • Static Code Analysis • Security Code Review • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Vulnerability Assessment
    18. 18. 18 Operational View of Security Testing Security Testing – Operational Overview Pre Production Security Testing Production Security Testing Automated Static Code Analysis -Security Manual Security Code Review StaticSecurity Testing Automated Vulnerability Scanning Penetration Testing DynamicSecurity Testing Ethical Hacking Compliance Validation Security Monitoring ThreatModelingandAttack SurfaceAnalysis
    19. 19. 19 Budgeting for Security Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK Enterprises must plan to protect the brand, attain compliance and avert costly breaches Protecting other assets (e.g. Cash) from theft Improving efficiency /cost reduction Enabling business opportunities Protecting intellectual property Business continuity in a disaster situation Protecting customer information Preventing downtime and outages Complying with laws/regulations Protecting the organisation’s reputation Maintaining data integrity Information Security ExpenditureBusiness Drivers for Information Security Expenditure 10% of IT budget is spent on an average on security (up from 8% a year ago) 16% of IT budget is spent on an average on security, where security is a very high priority (up from 11% a year ago) 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)
    20. 20. 20 Value of Enterprise Security Protect the brand, attain compliance and avert costly breaches. Save Money and Business • Avoid the potential penalties due to non-conformance to security compliances • Avoid the losses due to financial fraud, identity theft, regulatory fines G Better Protection of Assets and Business • Proactively respond to the real world security threats • Comply to different standards and regulatory compliances  Gain competitive advantage • Increased TRUST of users and customer • Avoid Brand Damage, downtime and loss of customer %
    21. 21. 21 Summary Enterprises are under attack due to continuous discovery of vulnerabilities Enterprises can deal with security threats and meet the regulatory compliance demands by employing • Plan for securing assets • Assess gaps and establish a baseline security • Maintain security by employing Application Security, Infrastructure Security and Operations Security measures • Achieve Compliance by Pre-Audits and continuous management of trend Protect Business, Save Money and Gain Competitive Advantage by ensuring Enterprise Security
    22. 22. 22Copyright: SPAN Systems Corporation www.spansystems.com 22 SPAN Systems Corporation U.S. ‘C’ Corporation 1993 incorporated Wholly owned by EVRY (www.evry.com), a $2.3 Billion Nordic company Ranked #7 Best IT Places to Work For in India; Historically low attrition CMMI5, ISO 9001 and ISO 27001 certifications Strong Relationship Management Customers range from Fortune 5 to SMEs
    23. 23. 23 Poll Questions Copyright: SPAN Systems Corporation www.spansystems.com How important is security testing for you Critical Very Important Important Not Important Can’t say Do you have a security solution in place for your enterprise if not would like to implement one? Have NO security solution and want to implement immediately Have a reasonable security solution and want to look at options to strengthen the solution Have a very secure solution would not want to make any changes Have NO security solution and do not want to implement any security measures
    24. 24. 24 Thank you for joining Enterprises under Attack: Dealing with security threats and compliance This webinar was sponsored by SPAN Systems Corporation in conjunction with The Outsourcing Institute. Amit singh, Partner Avasant Vinay Ambekar, Senior Vice President, Engineering, Lavante Inc. Pramod Grama, Co-founder and Executive Vice President, SPAN Infotech (India) Pvt. Ltd. Lakshminarasimha Manjunatha Mohan, Solution Architect, SPAN Infotech (India) Pvt. Ltd.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×