IT Security a CIO Perspective<br />The 3rd  Kuwait Info Security Conference & Exhibition<br />By<br />GhassanFarra<br />Se...
IT Security Architecture<br />Business Strategies driving the business<br />Management and Operational Policies<br />Harde...
Pitfalls in Security Fortress <br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />3<br />Unforeseen (harmless!) p...
PST Files<br />Risks<br />- Majority of the enterprise sensitive documents sits today  in email  messages.. <br />- Messag...
3rd Party Network Access <br />Risks<br />- Allowing 3rd party network access (3G,4G) opens path way to corporate network<...
Wireless Network<br />Risks<br />- Usage of weak encryption algorithms<br />- Lack of Identification & Authentication of B...
Laptops Theft or Damage<br />Risks<br />- Laptops Contains Highly critical data<br />- Allow easy retrieval  of data witho...
HR Processes<br />Risks <br />- No notification on employee exit or  internal transfers<br />- Access privileges to corpor...
Removable Media<br />Risks<br />- Computer infection with malicious code or malware (in-turn network); i.eStuxnet<br />- A...
Clean Desk<br />Risks<br />- Access to critical Physical Data <br />- Unauthorized Access to user accounts and business ap...
 Security & Information handling Awareness campaign
Locking of desktops & Critical applications (automatic & manual) </li></ul>5/26/2011<br />3rd Annual InfoSecurity Conferen...
Single Sign on<br />Risks<br />- Compromising one’s  account allows Access to multiple Systems <br />- All applications ar...
Upcoming SlideShare
Loading in …5
×

Ghassan farra it security a cio perspective

613 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
613
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Ghassan farra it security a cio perspective

  1. 1. IT Security a CIO Perspective<br />The 3rd Kuwait Info Security Conference & Exhibition<br />By<br />GhassanFarra<br />Senior Consultant<br />The Advance Technology Group<br />
  2. 2. IT Security Architecture<br />Business Strategies driving the business<br />Management and Operational Policies<br />Hardening, HIPS<br />Secure encryption, authentication technologies<br />Security practices in development, Penetration Tests<br />Firewalls, NIPS<br />Operational Procedures,<br />Audits, Log Analysis, Content Inspection <br />Business Continuity, Incident Response<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />2<br />
  3. 3. Pitfalls in Security Fortress <br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />3<br />Unforeseen (harmless!) practices and technologies can bring the security fortress down to crumble and expose the entire infrastructure to numerous risks and threats<br />
  4. 4. PST Files<br />Risks<br />- Majority of the enterprise sensitive documents sits today in email messages.. <br />- Messages are archived to local PST files which often get lost due to employee exit or damaged due to size limitation.<br />- PST Files often elude retention Policy<br />Mitigation<br />- Mail Archiving Solution<br />- Central repository for sharing document <br />5/26/2011<br />3rd Kuwait InfoSecurity Conference<br />4<br />
  5. 5. 3rd Party Network Access <br />Risks<br />- Allowing 3rd party network access (3G,4G) opens path way to corporate network<br />- Infrastructure is exposed to threats<br />- Theft of Critical information<br />Mitigation<br />- Define and establish policy and procedures<br />- End point or Port control Solution<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />5<br />
  6. 6. Wireless Network<br />Risks<br />- Usage of weak encryption algorithms<br />- Lack of Identification & Authentication of Base stations<br />- Un-encrypted communication channel<br />Mitigation<br />- Use latest Wireless Encryption protocols <br />- Enable authentication to access wireless services<br />- Rogue-Base stations monitoring<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />6<br />
  7. 7. Laptops Theft or Damage<br />Risks<br />- Laptops Contains Highly critical data<br />- Allow easy retrieval of data without any controls implemented (i.e. Full disk encryption)<br />Mitigation<br />- Management Policies / Guidelines<br />- Full disk encryption and backups<br />- Awareness on using laptops (in and out of office, public places etc)<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />7<br />
  8. 8. HR Processes<br />Risks <br />- No notification on employee exit or internal transfers<br />- Access privileges to corporate data <br />- Access to critical business applications<br />Mitigation<br />- Define Corporate Policy<br />- Establish the process or procedure<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />8<br />
  9. 9. Removable Media<br />Risks<br />- Computer infection with malicious code or malware (in-turn network); i.eStuxnet<br />- Authorized and un-authorized information Stealing<br />Mitigation<br />- End point or Port control (USB, CD-ROM, Serial, Parallel ,etc) solution<br />- Encrypt the external media (USB, DVD/CD for critical information)<br />- Policy & Guidelines to support and tune the solution<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />9<br />
  10. 10. Clean Desk<br />Risks<br />- Access to critical Physical Data <br />- Unauthorized Access to user accounts and business applications <br />Mitigation<br /><ul><li> Define and establish policy and procedures
  11. 11. Security & Information handling Awareness campaign
  12. 12. Locking of desktops & Critical applications (automatic & manual) </li></ul>5/26/2011<br />3rd Annual InfoSecurity Conference<br />10<br />
  13. 13. Single Sign on<br />Risks<br />- Compromising one’s account allows Access to multiple Systems <br />- All applications are available with user SSO, this leaves pathway to information leak or privacy violation<br />Mitigation<br />- Enforce strong factor authentication<br /><ul><li> Enforce automatic workstation lock-out</li></ul>- Enforce session idle time-out<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />11<br />
  14. 14. IT Asset Management<br />5/26/2011<br />3rd Annual InfoSecurity Conference<br />12<br />Risks<br />- No structured process to manage assets<br />- No policy or procedure to handle end-of-life or disposition assets<br />- No data sanitization procedures<br />- Critical information is available on the disks<br />Mitigation<br />- Define and establish Asset Management Process<br />- Define and Establish Data sanitization procedures<br />
  15. 15. 5/26/2011<br />3rd Annual InfoSecurity Conference<br />13<br />

×