Top 10 Security Challenges


Published on

Top 10 Security challenges Presented at the Experts Business Continuity Conference in Manama Bahrain, presented by Jorge Sebastiao for eSgulf

Published in: Business, Technology
1 Comment
  • nice one...
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Introduction of presentation, speaker, and thank you. Introduction into an updated strategy for eSecurity effective for today’s technologies, and eGovernment environments.
  • Top 10 Security Challenges

    1. 1. Top 10 Security Challenges/Issues 2006 Jorge Sebastião Founder and CEO [email_address]
    2. 2. Can if face the Challenge?
    3. 3. Top 10 Challenges <ul><li>Security Awareness & End Users </li></ul><ul><li>Google Exposure </li></ul><ul><li>Standards Compliance & Regulations Updates to ISO27001 </li></ul><ul><li>Vulnerability Management </li></ul><ul><li>Change Management & Coordination Mgmt </li></ul><ul><li>Patch Management </li></ul><ul><li>Effective Security Monitoring </li></ul><ul><li>Incidence Response </li></ul><ul><li>Managing Outsourcing Risk </li></ul><ul><li>Disaster Recovery & Business Continuity, Crisis Management </li></ul>
    4. 4. 1. Security Awareness & End Users <ul><li>The #1 threat to security is people. </li></ul><ul><li>Cause : Large growing user population, friendly applications. People weakness are caused by lack of knowledge. </li></ul><ul><li>Threat : Illiteracy in how the internet works. Allows social engineering. </li></ul>
    5. 5. Social Engineering-Risk <ul><li>… 70 percent of those asked said they would reveal their computer passwords for a … </li></ul>Schrage, Michael. 2005. Retrieved from Bar of chocolate
    6. 6. Phishing Stats
    7. 7. Phishing 101
    8. 8. Security & people is a complex processes Is doesn’t matter how strong you build a fortress there’s always a way around
    9. 9. 2. Google Exposure <ul><li>Google is #1 hackers tool. </li></ul><ul><li>Cause : Any information posted or disseminated through internet can easily be recorded, indexed. </li></ul><ul><li>Threat : Exposure of corporate as well as personal confidentiality. </li></ul>
    10. 10. <ul><li>Advanced Operators: “Filetype:” </li></ul>Google Hacking-Filetype
    11. 11. <ul><li>Advanced Operators “Intitle:” </li></ul><ul><ul><li>Intitle: search_term </li></ul></ul><ul><ul><li>Find search term within the title of a Webpage </li></ul></ul><ul><ul><li>Example: </li></ul></ul><ul><li> Find directory list: </li></ul><ul><li> Intitle: Index.of “parent directory” </li></ul>Google Hacking-intitle
    12. 12. <ul><li>Personal Mailbox </li></ul><ul><ul><li>Intitle: Index.of inurl: Inbox (456) (mit mailbox) </li></ul></ul><ul><ul><li>After several clicks , got the private email messages </li></ul></ul>Google Hacking-Mailbox
    13. 13. 3. Standards Compliance & Regulations Updates to ISO27001 <ul><li>Examples: BS7799 now ISO27001, Basel1-Basel II, EMV2, HIPAA, AML, SOX… </li></ul><ul><li>Cause : Compliance is not always a corporate priority (carrot and stick). </li></ul><ul><li>Threat : Potential major regulators and government penalties and loss of corporate image. New regulations in various sectors such as financial, health, transportation </li></ul>
    14. 14. Multitude of changes to Governance <ul><li>ISO27001, before (ISO17799, BS7799) </li></ul><ul><li>ISO20000 (before BS15000) </li></ul><ul><li>EMV 2 (EMV) </li></ul><ul><li>Basel 2 (Basel) </li></ul><ul><li>SOX </li></ul><ul><li>AML </li></ul><ul><li>ISO90000 </li></ul><ul><li>CoBIT </li></ul><ul><li>PAS56 (new ISO…) </li></ul><ul><li>HIPAA </li></ul><ul><li>... </li></ul>
    15. 15. Control Areas
    16. 16. Plan-Do-Check-Act Model <ul><li>PLAN: </li></ul><ul><li>1. Establish Security Policy and Objectives </li></ul><ul><li>2. Conduct Risk Analysis </li></ul>DO: 3. Implement Controls/Safeguards 4. Educate the Organisation CHECK: 5. Continuously Monitor and Review ACT: 6. Continuously Improve * The PDCA model is the strategy used in ISO9001 and ISO27001
    17. 17. Summary of Changes
    18. 18. Basel 2 - Time Table
    19. 19. 4. Vulnerability Management <ul><li>“ 99% of intrusions result from exploitation of known vulnerabilities or configuration errors where countermeasures were available” </li></ul><ul><li>Cause : Large growing set of vulnerabilities </li></ul><ul><li>and system weakness are caused by disclosure </li></ul><ul><li>Threat : Vulnerabilities can be exploited and cause loss of Confidentiality, Integrity, Availability </li></ul>
    20. 20. Vulnerability/Exploit Life Cycle
    21. 21. Compromise is Costly <ul><li>Compromised systems may not be immediately identified </li></ul><ul><li>To fully recover a compromised system, it must be taken offline </li></ul><ul><ul><li>Downtime of critical servers </li></ul></ul><ul><ul><li>Time invested by administrators </li></ul></ul><ul><li>To restore the integrity of the system it must be validated </li></ul><ul><ul><li>Forensics may take days to complete </li></ul></ul><ul><ul><li>Reinstall operating system and applications & all security patches </li></ul></ul><ul><li>Back-ups may contain altered data making it useless during recovery activities </li></ul>
    22. 22. Continuous Vulnerability Testing
    23. 25. Overview Audit
    24. 26. 5. Change Management & Coordination Mgmt <ul><li>We are always introducing change into the IT infrastructure in a uncontrolled way </li></ul><ul><li>Cause : Large growing complexity of network, new technologies, new applications. Change forced from Vulnerability / Patch Management </li></ul><ul><li>Threat : Unavailability of IT Infrastructure, potential lack of integrity. Potential loss of confidentiality </li></ul>
    25. 27. Change Management
    26. 28. Release Management
    27. 29. Change Mgmt Operation: Stabilize & Deploy Countermeasures <ul><li>New or changed countermeasures </li></ul>Track Plan Analyze Control Identify 1 2 3 5 4 Risk Statement
    28. 30. 6. Patch Management <ul><li>The high number of vulnerabilities results in high number of patches and patching cycles. </li></ul><ul><li>Cause : Mandatory changes required to the make emergency correction in IT environment </li></ul><ul><li>Threat : Patch Management can result in System integrity and Availability loss. </li></ul>
    29. 31. Patch Management Requires Processes People Technology Products, tools, and automation Consistent and Repeatable Skills, roles, and responsibilities
    30. 32. Patch Management Process 1. Assess Environment Tasks A. Baseline of systems B. Assess architecture C. Review configuration D. Discovery and Inventory 1. Assess 2. Identify 4. Deploy 3. Plan 2. Identify Patches Tasks A. Identify new patches B. Patch relevance C. Verify authenticity & integrity 3. Plan Patch Deployment Tasks A. Approval to deploy patch B. Risk assessment C. Plan release process D. Acceptance testing 4. Deploy Tasks A. Distribute & install patch B. Report on progress C. Handle exceptions D. Review deployment
    31. 33. 7. Effective Security Monitoring <ul><li>Cause : Lack of formal, integrated security monitoring for security events and potential incidents </li></ul><ul><li>Threat : Un-ability to understand the level of exposure when being attacked. </li></ul>
    32. 34. Lack of effective Monitoring “… Close to 30% of companies indicated they would not be aware that their core business information had been altered until 12 to 24 hours later and roughly 30% would not be aware of a compromise for more than 2 days .” Source: CIO Magazine
    33. 35. Effective Monitoring requires Integrated Process Organization IT SOC SOC Logging 1. Integrated Log File 5. Respond 2. Encrypted Log Data 3. Analysis 6. (Ongoing) Vulnerability Test Pen Test Patching Incidence Response Knowledge 4. Alerting
    34. 36. Security Event Must be Correlated
    35. 37. 8. Incidence Response <ul><li>Cause : Lack of formal security incidence response process. </li></ul><ul><li>Threat : Facilitated generally lack of integration of systems security. Unable to respond to attacks in timely manner. </li></ul>
    36. 38. Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
    37. 39. Incidence Response Functions <ul><li>Triage </li></ul><ul><li>Incident </li></ul><ul><li>Notification </li></ul><ul><li>Escalation </li></ul><ul><li>Incident Lifecycle </li></ul>
    38. 40. Incidence Response Workflow Event Correlation Event Database Security Analyst Incident Alert Form HelpDesk DATABASE Automatic Incident Alert Generation Security Analyst
    39. 41. Incident Response Lifecycle New Incident Reported by Analyst Reported by Customer Detected by Event Correlation Helpdesk DATABASE Tracking Number IR0012885 Tracking Number Assigned Progression Through Different Stages/States Security Analyst  Automatic Notification/Escalation
    40. 42. 9. Managing Outsourcing Risk <ul><li>Cause : Lack of formal analysis and measurement process to outsourcing risk management </li></ul><ul><li>Threat : High level of risk exposure, run away uncontrolled risk. Complete loss of business. </li></ul>
    41. 43. Outsourcing Risk: Example1-Credit Card Fiasco <ul><li>Disclosure of 40Million Credit and Debit Cards </li></ul><ul><li>Visa Stops Processing with CardSystem Solutions </li></ul><ul><li>Judge: Visa and MasterCard won't have to inform customers that their personal details were exposed in a high-profile data security breach </li></ul><ul><li>Credit bureaus to adopt data protection standards </li></ul><ul><li>Credit card makers forced to scrutinize security </li></ul>
    42. 44. Outsourcing Risk: Example2- Call Center Leaks Credit Cards <ul><li>The Sun organized a sting where they caught a call center employee selling credit cards </li></ul><ul><li>yet another incident where call center staffer was selling personal data. The data consisted of banking details of British customers, and was sold by people at an outsourced call center in India </li></ul><ul><li>There are security risks to outsourcing, and there are security risks to offshore outsourcing. But the risk illustrated in this story is the risk of malicious insiders </li></ul>
    43. 45. Do you have an integrated risk mgmt plan?
    44. 46. 10. Disaster Recovery & Business Continuity, Crisis Management <ul><li>Cause : Lack of formal business continuity or disaster recovery process, crisis Management. </li></ul><ul><li>Threat : Unable to respond to major disruptions or attacks causing complete system or organization unavailability. </li></ul>
    46. 48. Assessment Executive Review Source :Dr David J Smith 2002
    47. 49. Mobile Response to Disaster
    48. 50. Are u ready for security? <ul><li>“… Don’t bring </li></ul><ul><li>a knife to a gun fight …” </li></ul>
    49. 51. The « defence in depth »
    50. 52. Questions?