IT & Internet Security Overview Superior Oil  January 17, 2008 Mike Panno GuardEra Access Solutions, Inc. 200 W. 22 nd  St...
GuardEra Access Solutions, Inc Mike Panno, President & CEO
Discussion Agenda <ul><li>Why information security? </li></ul><ul><li>What is information security? </li></ul><ul><li>Top ...
Overview <ul><li>Hackers and thieves are increasingly targeting small businesses </li></ul><ul><li>According to a 2005 FBI...
Overview Cont’d <ul><li>On average small businesses lost over $200,000 per incident </li></ul><ul><li>Consumers are starti...
Overview Cont’d <ul><li>Small Businesses can no longer afford not to make “cyber security a priority” </li></ul><ul><li>Th...
Spectrum of Cyber Threats Unstructured Structured Sophistication <ul><li>Hacktivists </li></ul><ul><li>Insiders </li></ul>...
The Risk Equation <ul><li>Risk = Threat x Vulnerability x Consequences </li></ul><ul><ul><li>Threat:  Malicious intentions...
Information System Vulnerabilities <ul><li>Definition:  Conditions that may lead to an implicit or explicit failure of the...
Potential Consequences <ul><ul><li>Embarrassment </li></ul></ul><ul><ul><li>Repair costs </li></ul></ul><ul><ul><li>Misinf...
Three Common Attacks Today <ul><ul><li>Theft of data and resources </li></ul></ul><ul><ul><li>Denial-of-service attacks </...
Theft of Data and Resources <ul><ul><li>Stealing your computer files </li></ul></ul><ul><ul><li>Accessing your computer ac...
Information Security is a Process (2) Define Security Strategies (1)   Identify  Enterprise Security Risks & Priorities (3...
Defense In Depth: Security Best Practices <ul><li>Secure your network </li></ul><ul><li>Secure your endpoints and devices ...
Secure Your Network <ul><li>Analogy:  Gated community </li></ul><ul><li>Challenges: </li></ul><ul><ul><li>Unauthorized acc...
Secure Your Endpoints and Devices <ul><li>Analogy:  Individual houses in the community </li></ul><ul><li>Challenges: </li>...
Mitigate and Control Threats <ul><li>Analogy:  Security patrols in the community </li></ul><ul><li>Challenges: </li></ul><...
GuardEra’s Services Portfolio Security Infrastructure Compliance Assessment  And Remediation  Managed IT Services Network ...
Top 10 SMB Security Must-do’s: <ul><li>Model the threats to your business, and perform a security risk assessment </li></u...
Other Security Resources <ul><li>http:// www.staysafeonline.org /basics/small_ business.html </li></ul><ul><ul><li>Nationa...
Questions? Mike Panno GuardEra Access Solutions, Inc. 200 W. 22nd Street, Suite 220 Lombard, IL  60148 847.348.0600
Upcoming SlideShare
Loading in …5
×

Guard Era Security Overview Preso (Draft)

781 views

Published on

Security Overview

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
781
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Guard Era Security Overview Preso (Draft)

    1. 1. IT & Internet Security Overview Superior Oil January 17, 2008 Mike Panno GuardEra Access Solutions, Inc. 200 W. 22 nd Street, Suite 220 Lombard, IL 60148 847.348.0600
    2. 2. GuardEra Access Solutions, Inc Mike Panno, President & CEO
    3. 3. Discussion Agenda <ul><li>Why information security? </li></ul><ul><li>What is information security? </li></ul><ul><li>Top 10 “Must do’s” for small-mid sized businesses </li></ul><ul><li>Q&A </li></ul>
    4. 4. Overview <ul><li>Hackers and thieves are increasingly targeting small businesses </li></ul><ul><li>According to a 2005 FBI Study – 90% of businesses and organizations had at least one security incident within the past 12 months </li></ul><ul><li>Symantec Internet Threat Report – over 80% of data breaches could be prevented </li></ul>
    5. 5. Overview Cont’d <ul><li>On average small businesses lost over $200,000 per incident </li></ul><ul><li>Consumers are starting to take note of businesses cyber security record </li></ul><ul><ul><li>20% of consumers would not return to a business that had a security breach </li></ul></ul><ul><ul><li>85% of consumers would shop more at a business known for good cyber security practices </li></ul></ul>
    6. 6. Overview Cont’d <ul><li>Small Businesses can no longer afford not to make “cyber security a priority” </li></ul><ul><li>There are simple practical steps a small business can take to protect themselves and their customers </li></ul><ul><li>Good start is by following NCSA’s Top 7 Small Business Cyber Security Tips </li></ul><ul><li>Conduct a risk assessment and develop a cyber security plan </li></ul>
    7. 7. Spectrum of Cyber Threats Unstructured Structured Sophistication <ul><li>Hacktivists </li></ul><ul><li>Insiders </li></ul><ul><li>Information warriors </li></ul><ul><li>Intelligence agencies </li></ul><ul><li>Terrorists </li></ul><ul><li>Industrial espionage </li></ul><ul><li>Organized crime </li></ul><ul><li>Institutional hackers </li></ul><ul><li>Recreational hackers </li></ul>
    8. 8. The Risk Equation <ul><li>Risk = Threat x Vulnerability x Consequences </li></ul><ul><ul><li>Threat: Malicious intentions or capabilities </li></ul></ul><ul><ul><li>Vulnerability: Weaknesses in technology, processes, or procedures </li></ul></ul><ul><ul><li>Consequences: </li></ul></ul>
    9. 9. Information System Vulnerabilities <ul><li>Definition: Conditions that may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an information system </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Executing commands as another user </li></ul></ul><ul><ul><li>Accessing data in excess of specified or expected permission </li></ul></ul><ul><ul><li>Posing as another user or service within a system </li></ul></ul><ul><ul><li>Causing an abnormal denial of service </li></ul></ul><ul><ul><li>Inadvertently or intentionally destroying data without permission </li></ul></ul><ul><ul><li>Exploiting an encryption implementation weakness that significantly reduces the time or computation required to recover the plaintext from an encrypted message </li></ul></ul><ul><li>Common causes: </li></ul><ul><ul><li>Design flaws in software and hardware </li></ul></ul><ul><ul><li>Botched administrative processes </li></ul></ul><ul><ul><li>Lack of awareness and education in information security </li></ul></ul><ul><ul><li>Advancements in the state of the art or improvements to current practices </li></ul></ul>
    10. 10. Potential Consequences <ul><ul><li>Embarrassment </li></ul></ul><ul><ul><li>Repair costs </li></ul></ul><ul><ul><li>Misinformation or worse </li></ul></ul><ul><ul><li>Loss of (eCommerce) business </li></ul></ul><ul><ul><li>Legal trouble </li></ul></ul><ul><ul><ul><li>Federal Trade Commission/BJ’s Wholesale Club Case </li></ul></ul></ul>Page                                                                                                                                                                                                                                                                                                                                                                        
    11. 11. Three Common Attacks Today <ul><ul><li>Theft of data and resources </li></ul></ul><ul><ul><li>Denial-of-service attacks </li></ul></ul><ul><ul><li>Malicious codes and viruses </li></ul></ul>Page
    12. 12. Theft of Data and Resources <ul><ul><li>Stealing your computer files </li></ul></ul><ul><ul><li>Accessing your computer accounts </li></ul></ul><ul><ul><li>Stealing your laptops and computers </li></ul></ul><ul><ul><li>Intercepting your e-mail </li></ul></ul>Page
    13. 13. Information Security is a Process (2) Define Security Strategies (1) Identify Enterprise Security Risks & Priorities (3) Design, Test & Implement (4) Monitor Anticipate & Respond (5) Manage & Improve Start with an assessment of risks, then define security strategies to address highest priority items, implement solutions, monitor, improve upon.
    14. 14. Defense In Depth: Security Best Practices <ul><li>Secure your network </li></ul><ul><li>Secure your endpoints and devices </li></ul><ul><li>Mitigate and control threats </li></ul>
    15. 15. Secure Your Network <ul><li>Analogy: Gated community </li></ul><ul><li>Challenges: </li></ul><ul><ul><li>Unauthorized access: Can lead to loss of company data, unplanned downtime, and related liability concerns </li></ul></ul><ul><ul><li>Peer-to-peer file sharing and instant messaging: Distracts employees and reduces productivity </li></ul></ul><ul><ul><li>Viruses: Can infect systems, bringing them down and resulting in outages and lost revenue </li></ul></ul><ul><ul><li>Spam and phishing: Creates a nuisance and contributes to loss of employee productivity </li></ul></ul><ul><ul><li>Browsing of non-work-related Websites: Leads to loss of employee productivity and possible company liability issues </li></ul></ul><ul><ul><li>Infected VPN traffic: Creates a vector for threats to enter the network and disrupt the business </li></ul></ul><ul><li>Solutions: </li></ul><ul><ul><li>Secure gateway </li></ul></ul><ul><ul><li>Secure access (remote via VPN; on-site via authentication) </li></ul></ul><ul><ul><li>Employee awareness and training </li></ul></ul>
    16. 16. Secure Your Endpoints and Devices <ul><li>Analogy: Individual houses in the community </li></ul><ul><li>Challenges: </li></ul><ul><ul><li>PCs: Out-of-date software leaves vulnerabilities open </li></ul></ul><ul><ul><li>Laptops: Non-corporate web access provides multiple threat vectors; unencrypted laptop theft risks loss of proprietary information </li></ul></ul><ul><ul><li>Cell phones, PDAs, smart phones: Same risks as laptops, except smaller devices easier to misplace </li></ul></ul><ul><ul><li>Wireless access: Public hotspots, conventions, hotels, airports wide open venues for attackers </li></ul></ul><ul><li>Solutions: </li></ul><ul><ul><li>Update software regularly or automatically </li></ul></ul><ul><ul><li>Encrypt endpoints </li></ul></ul><ul><ul><li>Employ secure integrated services routers and behavior-based agents </li></ul></ul><ul><ul><li>Employee awareness and training </li></ul></ul>
    17. 17. Mitigate and Control Threats <ul><li>Analogy: Security patrols in the community </li></ul><ul><li>Challenges: </li></ul><ul><ul><li>Unconnected “seams” between network and hosts could impede “connecting the dots” of an attack </li></ul></ul><ul><ul><li>IT support staff often not trained in incident response </li></ul></ul><ul><ul><li>Information sharing barriers slow incident awareness </li></ul></ul><ul><li>Solutions: </li></ul><ul><ul><li>Deploy network flow technology to gain end-to-end view of the network </li></ul></ul><ul><ul><li>Develop and train incident response team </li></ul></ul><ul><ul><li>Join your sector’s Information Sharing and Analysis Center </li></ul></ul><ul><ul><li>Take advantage of US Computer Emergency Readiness Team (US-CERT) and Homeland Security Information Network (HSIN) alert networks </li></ul></ul>
    18. 18. GuardEra’s Services Portfolio Security Infrastructure Compliance Assessment And Remediation Managed IT Services Network Infrastructure
    19. 19. Top 10 SMB Security Must-do’s: <ul><li>Model the threats to your business, and perform a security risk assessment </li></ul><ul><li>Develop an information security policy, and educate your users </li></ul><ul><li>Design a secure network, implement packet filtering in the router, implement a firewall, and use a DMZ network for servers requiring Internet access. </li></ul><ul><li>Use anti-virus software, both at the gateway, and on each desktop </li></ul><ul><li>Use only Operating Systems that have adequate security baseline capabilities </li></ul><ul><li>Know your network, harden systems by removing unnecessary applications, and maintain an aggressive program of patching operating systems and applications </li></ul><ul><li>Use personal firewalls, particularly on laptops used by mobile users </li></ul><ul><li>Use strong authentication </li></ul><ul><li>Develop a computer incident response plan </li></ul><ul><li>Get started! </li></ul>
    20. 20. Other Security Resources <ul><li>http:// www.staysafeonline.org /basics/small_ business.html </li></ul><ul><ul><li>National Cyber Security Alliance business site </li></ul></ul><ul><li>Additional Resources </li></ul><ul><li>www.csrc.nist.gov / NIST Computer Security Division </li></ul><ul><li>www.US-CERT.gov U.S. Computer Emergency Readiness Team </li></ul><ul><li>www.asbdc-us.org Security Guide for Small Biz </li></ul><ul><li>iase.disa.mil Information Assurance Support </li></ul><ul><li>www.isalliance.org Common sense infosec guides </li></ul><ul><li>irtsectraining.nih.gov / Free online-information security training www.ftc.gov Federal Trade Commission infosec info </li></ul>
    21. 21. Questions? Mike Panno GuardEra Access Solutions, Inc. 200 W. 22nd Street, Suite 220 Lombard, IL 60148 847.348.0600

    ×