Security Compliance and Management - Issues Faced by Organisations Today.


Published on

Published in: Technology
  • Be the first to comment

Security Compliance and Management - Issues Faced by Organisations Today.

  1. 1. Gilbert Verdian MBA, CISA, CISSP EMEA Security Architecture and Consulting Manager Security Compliance and Management - Issues Faced by Organisations Today. InfoSec 2007 - London
  2. 2. Agenda <ul><li>Security is Dynamic </li></ul><ul><li>Threats </li></ul><ul><li>Current Issues </li></ul><ul><li>Addressing Issues </li></ul>
  3. 3. Security is Very Dynamic <ul><li>The landscape is constantly changing: </li></ul><ul><ul><li>New Technology </li></ul></ul><ul><ul><ul><li>New Operating Systems </li></ul></ul></ul><ul><ul><ul><ul><li>Vista, Apple Leopard </li></ul></ul></ul></ul><ul><ul><ul><li>Ubiquitous Computing & Interconnectivity </li></ul></ul></ul><ul><ul><li>Threats </li></ul></ul><ul><ul><ul><li>Web Applications </li></ul></ul></ul><ul><ul><ul><li>Malware/Spyware </li></ul></ul></ul><ul><ul><ul><li>Botnets </li></ul></ul></ul><ul><ul><li>Motivation </li></ul></ul><ul><ul><ul><li>$, £, € </li></ul></ul></ul>
  4. 4. Threats are Changing <ul><li>Hacking Then </li></ul><ul><li>&quot;Hacking was about learning how a computer operates. You always tried to push it to the edge. Kids these days, they just want to do any damage they can&quot; - Val Koseroski </li></ul><ul><li>Hacking was about bragging rights </li></ul><ul><ul><li>What skills you had </li></ul></ul><ul><ul><li>How you came up with the idea that beat the system </li></ul></ul><ul><li>Fixing things </li></ul><ul><ul><li>Frustration from restrictions (hardware/software) </li></ul></ul><ul><ul><li>Finding ways to push the limits </li></ul></ul><ul><li>Sharing </li></ul><ul><ul><li>Helping others to learn what you discovered </li></ul></ul><ul><ul><li>Helping to fix the problems in place </li></ul></ul>
  5. 5. Threats are Changing <ul><li>Hacking Now </li></ul><ul><li>Now there is profit to gain </li></ul><ul><ul><li>Black Market </li></ul></ul><ul><ul><li>Trade Vulnerabilities - 0 day </li></ul></ul><ul><ul><li>Trade accounts </li></ul></ul><ul><ul><ul><li>Paypal </li></ul></ul></ul><ul><ul><ul><li>Credit Cards, Bank Account Details </li></ul></ul></ul><ul><ul><li>Trade Servers </li></ul></ul><ul><ul><li>Trade Identities </li></ul></ul><ul><li>Malicious Intent </li></ul><ul><ul><li>Botnets </li></ul></ul><ul><ul><li>Malware/Spyware </li></ul></ul><ul><ul><li>DDoS </li></ul></ul><ul><ul><ul><li>Root Servers in March </li></ul></ul></ul>
  6. 6. Threats are Changing
  7. 7. Threats are Changing
  8. 8. Threats are Changing
  9. 9. Threats are Changing
  10. 10. What Affects Organisations <ul><li>Statutory and regulatory compliance deadlines and stepped up enforcement and penalty actions </li></ul><ul><ul><li>E.g., statutory - HIPAA, Sarbanes-Oxley, Patriot Act, Privacy Act, Gramm-Leach-Bliley (GLB), EU Privacy Directives </li></ul></ul><ul><ul><li>E.g., regulatory - SEC, OCC, FRB, Turnbull report, Basel II, ITAR/EAR and export control </li></ul></ul><ul><li>Virus attacks and threats are increasing at a faster rate </li></ul><ul><li>A demand for ROI on security spend </li></ul><ul><li>No longer just about compliance - executives require business value </li></ul><ul><li>Public trust of brand and image is under attack </li></ul><ul><ul><li>Privacy concerns </li></ul></ul><ul><ul><li>Continuity of operations fears </li></ul></ul><ul><li>New and complex business models add risk </li></ul>
  11. 11. <ul><li>Typical Security functions in Organisations </li></ul>Segregated Security Management <ul><li>Networks </li></ul><ul><li>Firewalls </li></ul><ul><li>IDS/IPS </li></ul><ul><li>Desktops </li></ul><ul><li>AV </li></ul><ul><li>Personal FWs </li></ul><ul><li>Malware/Spyware </li></ul><ul><li>Patching </li></ul><ul><li>Servers </li></ul><ul><li>User Provisioning </li></ul><ul><li>AV </li></ul><ul><li>Patching </li></ul>Security Department IT Functions Security Function
  12. 12. Large amounts of Segregated Security Data Do not share information with each other
  13. 13. Security Management <ul><li>Help is on the way </li></ul><ul><li>Proper Risk Management </li></ul><ul><ul><li>IT Risk is part of Business Risk </li></ul></ul><ul><ul><li>Risk goes to Board level </li></ul></ul><ul><ul><ul><li>Criminal prosecution </li></ul></ul></ul><ul><ul><li>Single view of Risk Level </li></ul></ul><ul><li>Automation using tools and Methodologies </li></ul><ul><ul><li>Bindview, Probity </li></ul></ul><ul><ul><li>OCTAVE, MORDA </li></ul></ul><ul><ul><li>Single view of IT Landscape (Dashboards) </li></ul></ul><ul><ul><li>Log collection and correlation - SIMs </li></ul></ul>
  14. 14.