College Presentation

1,496 views

Published on

Overview of Security given to Muskingum College Master\'s Students

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,496
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Related story of companies taking down their web site during code red
  • Possession: For example, if confidential information such as a user ID-password combination is in a sealed container and the container is stolen, the owner justifiably feels that there has been a breach of security even if the container remains closed (this is a breach of possession or control over the information). Utility example: For example, if data is encrypted and the decryption key is unavailable, the breach of security is in the lack of utility of the data Source: http://www.pcmag.com/encyclopedia_term/0,2542,t=Parkerian+Hexad&i=48859,00.asp Six fundamental, atomic, non-overlapping attributes of information that are protected by information security measures. Defined by Donn B. Parker, renowned security consultant and writer, they are confidentiality , possession , integrity , authenticity , availability and utility .
  • Guidelines for the Management of IT Security as published by ISO Vulnerability Vulnerability is the likelihood of success of a particular threat category against a particular organization. Notice that if this were the likelihood of success of a particular attack (e.g., the Ping of Death) against a particular machine, the likelihood would be either 0 or 1 (0 percent or 100 percent). But since we are concerned about vulnerability at an organizational level (with, say, 1,000 PCs and 50 servers configured and architected in a particular way) to an entire class of threat, binary terms don't work. Instead, vulnerability has to be quantified in terms of a probability of success, expressed as a percent likelihood.
  • Threats generally have numbers associated with them – e.g. Florida is likely to have 1.4 hurricanes each year
  • Scanners can often assist with identifying known vulnerabilities
  • Controls Software Operating system controls that protect users from each other or from sensitive data Program controls that enforce security restrictions Virus scanners, intrusion detection systems, etc. Hardware Locks Firewalls Smartcards Physical Door locks Guards Backups
  • Threat: Earthquake Vulnerability: Building not up to earthquake code Cost: Millions Risk: Low Threat: Computer Virus Vulnerability: Likely medium to high Costs: Depends Risk:
  • http://en.wikipedia.org/wiki/Information_security#Risk_management Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war , accidents, malicious acts originating from inside or outside the organization. Conduct a vulnerability assessment , and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security , quality control , technical security. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity. Business environment is constantly changing and as a result introducing new vulnerabilities Countermeasures are also constantly changing and must be reevaluated
  • Examples to discuss: Accepting the risk FTP server is prone to being owned – yet it isn’t worth the time or trouble to properly defend it because it would exceed the cost of the item Mitigating the Risk Vulnerability audit indicates that your web server is vulnerable to cross site scripting attacks, has an old operating system Transferring the Risk: You are a Heisman winning quarterbook as a junior, you want to come back for your senior season – what do you do to manage the risk? Deny the risk:
  • Clifford Stoll (the author) managed some computers at Lawrence Berkeley Laboratories in California. One day, his supervisor (Dave Cleveland) asked him to resolve a USD$ 0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a hacker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail function of the original GNU Emacs . Over the next ten months, Stoll spent a great deal of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, helped with the phone lines. Over the course of a long weekend he rounded up fifty terminals, mostly by "borrowing" them from the desks of co-workers away for the weekend, and teletype printers and physically attached them to the fifty incoming phone lines. When the hacker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE , a defense contractor in McLean, Virginia . Stoll, after returning his "borrowed" terminals, left a teletype printer attached to the intrusion line in order to see and record everything the hacker did. Stoll recorded the hacker's actions as he sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or " SDI ". The hacker also copied password files (in order to make dictionary attacks ) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on army bases, the hacker was sometimes able to log in as "guest" with no password. Over the course of this investigation, Stoll contacted various agents at the FBI , CIA , NSA , and Air Force OSI . Since this was almost the first documented case of hacking, (Stoll seems to have been the first to keep a daily log book of the hacker's activity), there was some confusion as to jurisdiction and a general reluctance to share information. Studying his log book, Stoll saw that the hacker was familiar with VMS , as well as AT&T Unix . He also noted that the hacker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east. With the help of Tymnet and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost , the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen . In order to entice the hacker to stay on the line long enough to be backtracked from Bremen, Stoll set up an elaborate hoax (known today as a honeypot ), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the hacker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese . The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover . The hacker's name was Markus Hess , and he had been engaged for some years in selling the results of his hacking to the Soviet KGB . There was ancillary proof of this when a Hungarian spy contacted the imaginary SDInet at LBL, based on information he could only have gotten through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them). Stoll later had to fly to Germany to testify at the trial of Hess and a confederate. Although Hess was active at the same time and in the same area as the German Chaos Computer Club , they do not seem to have been working together. http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_%28book%29
  • Gramm (http://www.securitymanagement.com/archive/library/gramm_tech0902.pdf) Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security Dual control procedures, segregation of duties, and employee background checks Monitoring systems to detect actual attacks on or intrusions into customer information Response programs that specify actions to be taken when unauthorized access has occurred Protection from physical destruction or damage to customer information Could also talk about FERPA ( Family Educational Rights and Privacy Act ) that was enacted in 1974. This is a USA Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.
  • http://en.wikipedia.org/wiki/Information_Technology_Security_Assessment
  • you cannot make good decisions about security without first determining what your security goals are A risk management program that is constantly evaluating the risks to the business and setting priorities
  • Security and Loss Prevention 5 th Edition by Philip P. Purpura pg 135
  • - Credit Card Industry Grapples with Security Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems, Inc. and supermarket chain Hannaford Brothers show the challenges facing the efforts of the credit card industry to upgrade security measures. While both companies say their computer networks met the tough new standards meant to prevent data breaches, Visa, Inc. said Heartland may have let its guard down. The positions reflect broader disagreements in the industry, as squabbling between merchants and financial firms over technology and the cost of systems upgrades continues to impede progress while the financial stakes get higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research. More information: http://www.reuters.com/article/smallBusinessNews/idUSTRE57N4LQ20090824
  • - "Dirty Websites" Pose Biggest Security Risk The 100 most dangerous sites on the web are propagating an average of 18,000 different pieces of malware, according to leading security software maker Symantec. While 48 of the top 100 worst are adult-themed sites, others featured diverse topics, ranging from deer hunting and catering, to figure skating, electronics, and legal services. "We used to tell people if you stick with the 'safe neighborhood' you will be safe, and what we see from this list is that even if you stick to the safe neighborhood, it doesn't mean you are safe," said Symantec's Dan Schrader. "Your own judgment doesn't tell you anything about the security practices of that site." Ken Pappas of Top Layer Security adds that "The list of most-offensive websites is changing and new websites are constantly being infected. This is not something like building a ten most-wanted for criminals at large. "Whether it's ten viruses or ten thousand doesn't matter; the point is, many people are going to what they believe is a legitimate and trusted website. They have no idea or warnings it will potentially put malware in the computer." More information: http://www.scmagazineus.com/dirtiest-websites-host-average-18000-threats/article/146919/ http://safeweb.norton.com/dirtysites
  • Center for Internet Security is a not-for-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. National Security Agency Guidelines for Security Configurations Computer Security Resource Center supported by the National Institute of Standards and Technology
  • College Presentation

    1. 1. The C, I, A’s of Security Introduction to Security Presentation Given To Students in The Master of Information Strategy, System and Technology Curriculum at Muskingum College Scott Frost CISSP, CISM, CISA The Polaris Consulting Group, LLC.
    2. 2. Honesty on the Internet 12 Sept 2009 Copyright The Polaris Consulting Group
    3. 3. CIA – the three legged tripod <ul><li>Integrity </li></ul><ul><li>Confidentiality </li></ul><ul><li>Availability </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    4. 4. Confidentiality <ul><li>Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By “access,” we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy” </li></ul><ul><li>Security in Computing, Third Edition pg 10 </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    5. 5. Integrity <ul><li>The quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. </li></ul><ul><li>Or more simply put, “The data hasn’t been changed” </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    6. 6. Availability <ul><li>The degree to which data and the services or systems that provide the data are working acceptably </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    7. 7. CIA – How they work together Confidentiality Integrity Availability Secure 12 Sept 2009 Copyright The Polaris Consulting Group
    8. 8. Other Key Terms <ul><li>Possession - The ownership or control of information, as distinct from confidentiality. </li></ul><ul><li>Authenticity - The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named. </li></ul><ul><li>Utility - Usefulness; fitness for a particular use. </li></ul><ul><li>Non-repudiation – Sender can’t deny sending and receiver can’t deny receiving (Think digital signatures) </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    9. 9. Threats, Vulnerabilities, and Risks Oh My! <ul><li>Threats – something that has the potential to cause harm or loss </li></ul><ul><li>Vulnerabilities – weakness in a security system </li></ul><ul><li>Controls – protective measure that removes or reduces a vulnerability </li></ul><ul><li>Risks – “The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat” (1) </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    10. 10. Examples of Threats <ul><li>Acts of God – forces of nature, fire, flood, earthquake </li></ul><ul><li>Technical Failures – Hardware or software with errors or flaws. (i.e. - Intel FDIV) </li></ul><ul><li>Management Failures – Failure to upgrade or update, Inappropriate configuration. (AV updates, mis-configured firewall) </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    11. 11. Examples of Vulnerabilities <ul><li>Weak or default passwords </li></ul><ul><li>Un-patched system </li></ul><ul><li>Design flaw </li></ul><ul><li>Code flaw (buffer overflows, input validation, etc.) </li></ul><ul><li>Inadequate building construction </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    12. 12. Examples of Controls <ul><li>Security Guards and badges </li></ul><ul><li>Required vacations for key personnel </li></ul><ul><li>Internet versus intranet zones </li></ul><ul><li>Firewalls </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    13. 13. What is Risk? <ul><li>Mathmatical Definition of Risk: </li></ul><ul><li>Risk = Threat x Vulnerability x Cost </li></ul><ul><li>What does this mean? Let’s look at a few examples: </li></ul><ul><ul><li>Earthquake </li></ul></ul><ul><ul><li>Computer Virus </li></ul></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    14. 14. Risk Management <ul><li>The CISA Review Manual 2006 provides the following definition of risk management: &quot;Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.&quot; </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    15. 15. Key Components of Risk Management <ul><li>Identification of assets </li></ul><ul><li>Identification of vulnerabilities and threats to those assets </li></ul><ul><li>Controls to mitigate risks </li></ul><ul><li>Aid in the prioritization of scarce resources </li></ul><ul><li>Is this a one time process or iterative? Why? </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    16. 16. Identification of Assets <ul><li>How do you find them? </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group <ul><ul><li>Company provided inventory (generally not so good) </li></ul></ul><ul><ul><li>Internal Scans (will catch a lot but only if the asset is connected to the network) </li></ul></ul><ul><ul><li>Walk around </li></ul></ul><ul><ul><ul><li>Talk to employees </li></ul></ul></ul><ul><ul><ul><li>Visit data center </li></ul></ul></ul>
    17. 17. Prioritization of Risks <ul><li>Tuesday at noon EDT a new Top Cyber Risks report will be released summarizing current data from the largest network of intrusion prevention sensors and the largest network of vulnerability testers (millions of systems). It shows that the top two cyber risks are far more critical than previously thought, and at the same time that enterprises are acting very slowly to mitigate the risks. In fact the data show that enterprises are investing in less important risks and skimping on the important ones. This is the first time a threat report has been based on a combination of these two data sources on a global scale. Very cool because the findings are authoritative (and were vetted by the Storm Center folks and SANS' top instructors). If you have wanted to get your organization to fix the key problems, you'll find this report to be a powerful tool to move executive decision making forward.  If you are a press person and want to be included in the press conference call, please email [email_address] and tell me which publication. </li></ul><ul><ul><li>SANS NewsBites Vol. 11 Num. 72 </li></ul></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    18. 18. Risk Management – Business Choices <ul><li>Accept the risk </li></ul><ul><li>Mitigate the Risk </li></ul><ul><li>Transfer the risk </li></ul><ul><li>Deny the risk </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    19. 19. What Brought all of this about? <ul><li>1980’s – Introduction of personal computers </li></ul><ul><ul><li>Movies such as “War Games” Matthew Broderick </li></ul></ul><ul><ul><li>Hacking is cool and geeky </li></ul></ul><ul><li>1989 – The Cockoo’s Egg – Clifford Stoll </li></ul><ul><ul><li>$0.75 accounting error leads to one of the first documented cases of hacking </li></ul></ul><ul><li>1990’s </li></ul><ul><ul><li>Birth of Netscape </li></ul></ul><ul><ul><li>Back Orifice </li></ul></ul><ul><ul><li>Kevin Mitnick </li></ul></ul><ul><li>Early 2000 – Code Red, Nimba, Slammer, identity theft </li></ul><ul><li>Mid to late 2000’s – Organized crime and governments </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    20. 20. WHY???? <ul><li>Personal challenge </li></ul><ul><li>Follow the money </li></ul><ul><ul><li>Early hacking was to avoid long distance phone calls </li></ul></ul><ul><ul><li>Later hacking was to break into banks and steal money </li></ul></ul><ul><ul><li>Now compromising personal information (credit cards, SSN’s, DOB, etc.) are sold in bulk for credit card and other fraud </li></ul></ul><ul><li>Control of Assets – botnets </li></ul><ul><li>Corporate and Government Secrets </li></ul><ul><li>Relatively Anonymous </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    21. 21. Evolution of Laws and Regulations <ul><li>1980’s – Start of Federal laws on computer activity </li></ul><ul><ul><li>Federal Computer Fraud and Abuse Act </li></ul></ul><ul><li>1990’s – </li></ul><ul><ul><li>HIPAA “Health Insurance Portability And Accountability Act” – Health sector </li></ul></ul><ul><ul><li>Gramm-Leach-Bliley – Financial Sector </li></ul></ul><ul><li>2000’s – </li></ul><ul><ul><li>Federal Information Security Act (FISMA) – Government regulations </li></ul></ul><ul><ul><li>Sarbanes-Oxley – Management on the hook for security of financial systems </li></ul></ul><ul><ul><li>PCI DSS </li></ul></ul><ul><ul><li>Security Breach Notification Laws </li></ul></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    22. 22. Security Assessments <ul><li>Required by PCI-DSS, GLBA, HIPAA, etc. </li></ul><ul><li>Main Purpose </li></ul><ul><ul><li>Ensure that there are sufficient controls to prevent unauthorized data disclosure </li></ul></ul><ul><li>Likely Result? </li></ul><ul><ul><li>Long list of vulnerabilities that when exploited resulted in unauthorized data disclosure </li></ul></ul><ul><li>Now we are back into Risk Management </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    23. 23. Security Assessments <ul><li>Management Sponsor </li></ul><ul><ul><li>Liability protection  </li></ul></ul><ul><li>Scope </li></ul><ul><ul><li>What is the asset to be protected? Hint: Look for databases, customer data, financial data, corporate secrets, etc. </li></ul></ul><ul><li>Should include technical and human vulnerabilities (Kevin Mitnick) </li></ul><ul><li>Should handle false positives and false negatives </li></ul><ul><li>Risk assessment results that identify the assets, threats, vulnerabilities, etc. </li></ul><ul><li>Prioritized list of recommendations </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    24. 24. Security Assessments <ul><li>Final Step? </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group Schedule another One! Why? Because things change.
    25. 25. Fundamentals of a Good Security Program <ul><li>Management buy in </li></ul><ul><li>Security Framework (SANS CAG, ISO 27001/2, ITIL </li></ul><ul><ul><li>People, Technology, Process </li></ul></ul><ul><li>Set security goals and develop a WAITT (We Are In This Together) philosophy </li></ul><ul><li>Risk Prioritization </li></ul><ul><li>Metrics </li></ul><ul><li>Defense in Depth – Recognition that one layer is not sufficient </li></ul><ul><li>Proactive </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    26. 26. SANS Consensus Audit Guidelines <ul><li>Critical Controls Subject to Automated Collection, Measurement, and Validation: </li></ul><ul><li>Inventory of Authorized and Unauthorized Devices </li></ul><ul><li>Inventory of Authorized and Unauthorized Software </li></ul><ul><li>Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers </li></ul><ul><li>Secure Configurations for Network Devices such as Firewalls, Routers, and Switches </li></ul><ul><li>Boundary Defense </li></ul><ul><li>Maintenance, Monitoring, and Analysis of Security Audit Logs </li></ul><ul><li>Application Software Security </li></ul><ul><li>Controlled Use of Administrative Privileges </li></ul><ul><li>Controlled Access Based on Need to Know </li></ul><ul><li>Continuous Vulnerability Assessment and Remediation </li></ul><ul><li>Account Monitoring and Control </li></ul><ul><li>Malware Defenses </li></ul><ul><li>Limitation and Control of Network Ports, Protocols, and Services </li></ul><ul><li>Wireless Device Control </li></ul><ul><li>Data Loss Prevention </li></ul><ul><li>Additional Critical Controls (not directly supported by automated measurement and validation): </li></ul><ul><li>Secure Network Engineering </li></ul><ul><li>Penetration Tests and Red Team Exercises </li></ul><ul><li>Incident Response Capability </li></ul><ul><li>Data Recovery Capability </li></ul><ul><li>Security Skills Assessment and Appropriate Training to Fill Gaps </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    27. 27. Security is more than a checklist <ul><li>Proactive security </li></ul><ul><ul><li>Honeypots, Honeyports </li></ul></ul><ul><ul><li>Good Trojan horses and call home viruses </li></ul></ul><ul><li>Think like a hacker </li></ul><ul><ul><li>Use Twitter </li></ul></ul><ul><ul><li>Ongoing scan </li></ul></ul><ul><ul><li>Monitor log files </li></ul></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    28. 28. Historical Defense in Depth 12 Sept 2009 Copyright The Polaris Consulting Group
    29. 29. Modern Defense in Depth? 12 Sept 2009 Copyright The Polaris Consulting Group Fire Network Access Control Firewall Network Design Guards and badges Log Monitoring Encryption DMZ
    30. 30. Metrics <ul><li>You can't manage what you don't measure. It is an old management adage that is accurate today. Unless you measure something you don't know if it is getting better or worse. You can't manage for improvement if you don't measure to see what is getting better and what isn't. </li></ul><ul><li>By F. John Reh , About.com </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    31. 31. Wrapping Things Up <ul><li>Evolution of security risks </li></ul><ul><li>External versus Internal – Where’s the greater threat? </li></ul><ul><li>Costs of doing nothing </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    32. 32. The Evolution of Security Risks <ul><li>TOP OF THE NEWS  --Cyber Criminals Targeting Smaller US Firms; Get Millions (August 25, 2009) Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews [Guest Editor's Note (Rob Lee): We are seeing a lot of these. There are three contributing reasons they are growing so fast: (1) Low threat of arrest in these &quot;safe havens,&quot; (2) High payout for the crime, and (3) Victim sharing data on these attacks has been minimal. The attacks are amazingly simple and the amount of money taken is large.  The firms do not know how to protect themselves.  In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards.   Small businesses are being affected greatly by poor security practices.  It isn't a risk issue.  It is a survival one.] </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    33. 33. External versus Internal – Where’s the greater threat? <ul><li>87% of FBI respondents in 2005 survey indicated that they had some form of security incident </li></ul><ul><li>73% of threat is internal </li></ul><ul><li>23% is external (Where did the other 4% go to?) </li></ul><ul><li>Average internal threat costs the company 2.7 million </li></ul><ul><li>Average external threat costs the company $57,000 </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    34. 34. Costs of doing nothing (or not doing it right) <ul><li>The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. ( http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222 ) </li></ul><ul><li>T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate </li></ul><ul><ul><li>The retailers' second-quarter earnings show that the company had to absorb $118 million in that quarter alone. That's added to earlier breach costs of $17 million. ( http://www.informationweek.com/news/global-cio/compliance/showArticle.jhtml?articleID=201800259) </li></ul></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    35. 35. SANS Top 20 <ul><li>Client-side Vulnerabilities in: </li></ul><ul><li>C1. Web Browsers C2. Office Software C3. Email Clients C4. Media Players </li></ul><ul><li>Server-side Vulnerabilities in: </li></ul><ul><li>S1. Web Applications S2. Windows Services S3. Unix and Mac OS Services S4. Backup Software S5. Anti-virus Software S6. Management Servers S7. Database Software </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group <ul><li>Security Policy and Personnel: </li></ul><ul><li>H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media </li></ul><ul><li>Application Abuse: </li></ul><ul><li>A1. Instant Messaging A2. Peer-to-Peer Programs </li></ul><ul><li>Network Devices: </li></ul><ul><li>N1. VoIP Servers and Phones </li></ul><ul><li>Zero Day Attacks: </li></ul><ul><li>Z1. Zero Day Attacks </li></ul>
    36. 36. Top 10 Trends (per SANS) <ul><li>Encrypting mobile devices </li></ul><ul><li>Theft of mobile devices </li></ul><ul><li>Additional laws </li></ul><ul><li>Cyber attacks to increase </li></ul><ul><li>Cell phone worms </li></ul><ul><li>VOIP attacks </li></ul><ul><li>Spyware </li></ul><ul><li>0-Day exploits </li></ul><ul><li>Rootkit bots </li></ul><ul><li>Network Access Control will become more important </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    37. 37. Security Web Sites Just a few <ul><li>sans.org - SysAdmin, Audit, Network, Security </li></ul><ul><li>cisecurity.org - Center for Internet Security </li></ul><ul><li>www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml - NSA Security Configuration Guides </li></ul><ul><li>csrc.nist.gov - NIST Computer Security Division </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group
    38. 38. My Contact Info <ul><li>LinkedIn: Scott Frost </li></ul><ul><li>Email: [email_address] </li></ul><ul><li>Web Site: http://thepolarisconsultinggroup.com </li></ul>12 Sept 2009 Copyright The Polaris Consulting Group

    ×