SlideShare a Scribd company logo

A6704d01

M
mudigonda

dis is my ppt of my college level comp in en

EducationTechnologyBusiness
1 of 35
Download to read offline
Internet Security and Cyber Crime … or It’s not paranoia if they’re really after you. Sam Lumpkin Senior Security Architect 2AB, Inc. info@2ab.com www.2AB.com 1
Integration Platform For Trusted Solutions www.2AB.com Authentication Business Logic Infrastructure Access Control Confidentiality / Message Integrity Business Logic Access Auditing & Decision, Attribute Mgt, Administration Auditing, Policy Mgt
How Management Views Their Company’s Security 3
How Internal Users View Their Company’s Security 4
How Crackers and Script Kiddies View a Company’s Security 5
How Bad Can It Be? 6
Current Headlines FBI Issues Water Supply Cyberterror Warning Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns. By Kevin Poulsen, www.securityfocus.com 7
Current Headlines Microsoft Store Offline After Insecurity Exposed. By Brian McWilliams, Newsbytes Jan 11 2002 5:52PM PT An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data. www.securityfocus.com 8
Current Headlines NASA Hacker Gets 21 Months Jason 'Shadow Knight' Diekman cracked JPL, Stanford University and others. By Dick Kelsey, Newsbytes Feb 5 2002 5:28PM PT www.securityfocus.com 9
Headlines Lloyd's of London To Offer Hacker Insurance Lloyd's of London, one of world's largest insurance firms, has partnered with San Jose, California- based Counterpane Security, Inc. to offer insurance against business losses due to mischief by hackers. By Lori Enos E-Commerce Times July 10, 2000 10
Prediction Denial of service attacks against companies such as Yahoo! and Amazon.com illustrated the susceptibility of even well- established organizations to hacker attacks. Security incidents had not been widely reported prior to the broadband explosion, however, the Gartner Group predicts that by 2004, service providers will witness a 200 percent increase in the cost of responding to security incidents due to broadband connections. Pamela Warren, Nortel/Shasta 11
How common is unauthorized system entry? A survey conducted by the Science Applications International Corp. in 1996 found that 40 major corporations reported losing over $800 million to computer break-ins. An FBI survey of 428 government, corporate and university sites found that over 40% reported having been broken into at least once in the last year. One third said that they had been broken into over the Internet. Another survey found that the Pentagon's systems that contain sensitive, but unclassified information, had been accessed via networks illegally 250,000 times and only 150 of the intrusions were detected. The FBI estimates that U.S. businesses loose $138 million every year to hackers. According to the CIA in the past three years government systems have been illegally entered 250,000. from student paper by Jimmy Sproles and Will Byars for a Computer Ethics Course at ETSU 1998 http://www-cs.etsu-tn.edu/gotterbarn/stdntppr/stats.htm 12
Point and Click Cracking ÜHacker/Cracker toolkits ÜPassword crackers Ü“Script Kiddies” 13
Are “They” in YOUR System? • Most companies do not know. • There is no plan to review logs or scan for unusual activity. • Physical access is not controlled in a consistent manner. • If an intrusion were detected or even suspected, there is no procedure designed to deal with it. 14
Who Are “They”? ÜExternal “They”: v“Script Kiddies” (i.e. children) vSkilled crackers vForeign nationals (well funded) vCompetitors or their agents ÜInternal “They”: vDisgruntled employees vContractors, vendors, temps, etc. 15
What Can “They” Do? The worst thing “they” can do is to simply quietly gather information and sell it to your competitors, or to other crackers. This can include customer information, trade secrets, payroll information, proposals, and bids. You won’t even know the information has been compromised. 16
What Else Can “They” Do? ÜDestroy data ÜAlter data ÜEffect any system controlled by computers. ÜImbed Trojan programs for later exploitation. 17
Why should you care? How much is your information worth? What happens if a competitor has access to your pricing, your bids, and your payroll information? How much of you information could you do without and still do business? With the explosion of on-line services, controlling access to personal information is critical! The demands of consumers and the requirements of many government regulations such as US Code Title 47 and HIPAA make it mandatory that information be protected. 18
Why Should You Care? Corporate Officers And Directors Need To Take Responsibility For Securing Corporate Information Assets, Report Says Recourse Technologies™ Report, Written by Tech Industry Legal Expert, Finds Evidence That Directors/Officers Can be Held Liable for Loss of Data Due to Hacking. www.recourse.com/download/press/PDF/07.30.01_NOC.pdf 19
What About Firewalls? ÜFirewalls help protect the perimeter of your network. (The hard “candy” shell) ÜThe “soft chewy center” needs protecting, too. ÜFirewalls can and are compromised. 20
Why Protect an Intranet? ÜAs stated before, firewalls can and are compromised. ÜThe only secure system is a system with no input or output, but what good is it? Ü Attacks also come from within the perimeter from vendors, contractors, and even employees. 21
How Do I Begin? It isn’t magic; but don’t start from scratch. Resources: Ø Reference Books Ø The Internet Ø Consultation Ø Off The Shelf Software 22
Awareness ÜInitial awareness program vExisting information dissemination methods vSpecial security awareness presentations ÜOngoing awareness (updates, etc.) vSecurity awareness newsletter ÜNew employee/contractor orientation 23
Implementation Ü Physical Constraints v Locks § Time Locks § Cipher Locks v “Man Traps” v “Tamper Proof” Containers 24
Implementation ÜElectronic Access vProximity Badges vBiometrics (the Oldest Form of Authentication) § Fingerprint § Voice Recognition § Retinal Scan § Face Recognition vMust have human oversight! 25
Implementation ÜMonitoring for Adherence to Established Practices and Policies. v Access logs (paper and electronic). v “Two man” accountability. v Visitor sign-in and escort. v Monitoring and review of video surveillance. v Regular audits (internal and external). v Mechanized scans of logs for anomalies. 26
Implementation Ü Computer Access Controls. v Logon ID and Password v Digital Certificate/Smart Card v Hard Token (i.e. SecureID) v Biometrics v Integrated with Physical Access Method? v Logging! (with Review) v Regular Audits of Access Lists 27
Implementation Ü Access Authorization v Role based v Specific Individual v Dependent on Authentication Mechanism v High Level § Corporate Directory § CORBASec ADO (Access Decision Object) vGranular § CORBA RAD (Resource Access Decision) 28
Policy Implementation Ü Integration of Physical and Computer Security Policies and Procedures. Ü Usability Studies. Ü Log, Review, Audit. Ü Consider Outside Certification. Ü Nothing Can Replace the Human Mind and the Human Eye for Monitoring and Review. 29
Logging ÜTurn on logging! ÜAllocate headcount to review logs. ÜTrain reviewer(s). ÜPolicy should dictate actions specifically. vShut down intruder(s) immediately or vTrack intruder to determine intent/build case. v Honeypot? 30
Enforcement ÜManual vReview system logs vNetwork/platform scans vVarious periodic audits ÜAutomatic vPlatform password restrictions vFirewalls, proxies, etc. vVarious policy enforcement tools 31
Policies Ü Must Be Documented Ü Clear, Concise, Well Indexed, Available Ü Consider Online, Web Based Ü Various Products Can “Jump Start” the Creation and Maintenance of Policies Ü Regular Reviews Ü Communication, Communication, Communication! 32
Some Resources Ü ICSA White Paper on Computer Crime Statistics v http://www.trusecure.com/html/tspub/whitepapers/ crime.pdf Ü http://www.securityfocus.com/vulns/stats.shtml Ü … but don’t always believe Statistics v http://www.attrition.org/errata/stats.html 33
More Resources ÜInformation Security Policies Made Easy – Version 7; by Charles Cresson Wood ÜSecrets & Lies – Digital Security in a Networked World; by Bruce Schneier Ühttp://csrc.nist.gov • http://www.security-policy.org • http://www.msb.edu/faculty/culnanm/ gippshome.html 34
Thanks for Listening Sam Lumpkin and Marty Byrne info@2ab.com 2AB, Inc. 205-621-7455 www.2ab.com 35

Recommended

Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2Shane Kite
 

Recommended

Window of Compromise
Window of CompromiseWindow of Compromise
Window of CompromiseSecurityMetrics
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Hacking3e ppt ch10
Hacking3e ppt ch10Hacking3e ppt ch10
Hacking3e ppt ch10Skillspire LLC
 
Funsec3e ppt ch03
Funsec3e ppt ch03Funsec3e ppt ch03
Funsec3e ppt ch03Skillspire LLC
 
Funsec3e ppt ch05
Funsec3e ppt ch05Funsec3e ppt ch05
Funsec3e ppt ch05Skillspire LLC
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperTop Solutions and Tools to Prevent Devastating Malware White Paper
Top Solutions and Tools to Prevent Devastating Malware White PaperNetIQ
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2Shane Kite
 
Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13Skillspire LLC
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAYJames Ryan, CSyP, EA, PMP
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
Security
SecuritySecurity
SecurityBob Cherry
 
One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your businessManagement Insights LLC
 
Merit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your SystemsMerit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your Systemsmeritnorthwest
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonUlf Mattsson
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 
13 listrik-statis
13 listrik-statis13 listrik-statis
13 listrik-statisBagus Arif Wicaksono
 
Hubble Telescope Pictures
Hubble Telescope PicturesHubble Telescope Pictures
Hubble Telescope Picturesedinakovacs12
 

More Related Content

What's hot

Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf Mattsson
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWithum
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Ulf Mattsson
 
Merit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your SystemsMerit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your Systemsmeritnorthwest
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonUlf Mattsson
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 

What's hot (20)

Hacking3e ppt ch13
Hacking3e ppt ch13Hacking3e ppt ch13
Hacking3e ppt ch13
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
APT & What we can do TODAY
APT & What we can do TODAYAPT & What we can do TODAY
APT & What we can do TODAY
 
Ulf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare versionUlf mattsson webinar jun 7 2012 slideshare version
Ulf mattsson webinar jun 7 2012 slideshare version
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for NonprofitsWebinar: Understanding the Cyber Threat Landscape for Nonprofits
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011Issa chicago next generation tokenization ulf mattsson apr 2011
Issa chicago next generation tokenization ulf mattsson apr 2011
 
Security
SecuritySecurity
Security
 
One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your business
 
Merit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your SystemsMerit Event - Closing the Back Door in Your Systems
Merit Event - Closing the Back Door in Your Systems
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf MattssonISACA Los Angeles 2010 Compliance - Ulf Mattsson
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 

Viewers also liked

Hubble Telescope Pictures
Hubble Telescope PicturesHubble Telescope Pictures
Hubble Telescope Picturesedinakovacs12
 
Fin man 1 the introduction
Fin man 1 the introductionFin man 1 the introduction
Fin man 1 the introductionJimmi Sinton
 
Phun with physics
Phun with physicsPhun with physics
Phun with physicseawalker17
 
Awd power point
Awd power pointAwd power point
Awd power pointWiseGuys
 
Fin man 7 receivable management
Fin man 7 receivable managementFin man 7 receivable management
Fin man 7 receivable managementJimmi Sinton
 
Fin man 5 break even point and leverage analysis
Fin man 5 break even point and leverage analysisFin man 5 break even point and leverage analysis
Fin man 5 break even point and leverage analysisJimmi Sinton
 
Fin man 6 financial leverage
Fin man 6 financial leverageFin man 6 financial leverage
Fin man 6 financial leverageJimmi Sinton
 

Viewers also liked (18)

13 listrik-statis
13 listrik-statis13 listrik-statis
13 listrik-statis
 
Hubble Telescope Pictures
Hubble Telescope PicturesHubble Telescope Pictures
Hubble Telescope Pictures
 
Bbvl 03
Bbvl 03Bbvl 03
Bbvl 03
 
Proglin
ProglinProglin
Proglin
 
08 momentum
08 momentum08 momentum
08 momentum
 
Bbvl 08
Bbvl 08Bbvl 08
Bbvl 08
 
Fin man 1 the introduction
Fin man 1 the introductionFin man 1 the introduction
Fin man 1 the introduction
 
Bbvl 07
Bbvl 07Bbvl 07
Bbvl 07
 
Phun with physics
Phun with physicsPhun with physics
Phun with physics
 
Bbvl 15
Bbvl 15Bbvl 15
Bbvl 15
 
Bbvl 05
Bbvl 05Bbvl 05
Bbvl 05
 
Awd power point
Awd power pointAwd power point
Awd power point
 
02 gerak-lurus
02 gerak-lurus02 gerak-lurus
02 gerak-lurus
 
17 optika-geometri
17 optika-geometri17 optika-geometri
17 optika-geometri
 
Fin man 7 receivable management
Fin man 7 receivable managementFin man 7 receivable management
Fin man 7 receivable management
 
14 listrik-dinamis
14 listrik-dinamis14 listrik-dinamis
14 listrik-dinamis
 
Fin man 5 break even point and leverage analysis
Fin man 5 break even point and leverage analysisFin man 5 break even point and leverage analysis
Fin man 5 break even point and leverage analysis
 
Fin man 6 financial leverage
Fin man 6 financial leverageFin man 6 financial leverage
Fin man 6 financial leverage
 

Similar to A6704d01

2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insightsgotopaz
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesSplunk
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Aviva Spectrum™
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Managementipspat
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachUlf Mattsson
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect stormUlf Mattsson
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
IT-Risks-for-Non-profits-September-18SEPT17.pptx
IT-Risks-for-Non-profits-September-18SEPT17.pptxIT-Risks-for-Non-profits-September-18SEPT17.pptx
IT-Risks-for-Non-profits-September-18SEPT17.pptxSAbedinArman
 

Similar to A6704d01 (20)

2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data security
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
The good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breachThe good, the bad and the ugly of the target data breach
The good, the bad and the ugly of the target data breach
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Big data security the perfect storm
Big data security the perfect stormBig data security the perfect storm
Big data security the perfect storm
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
IT-Risks-for-Non-profits-September-18SEPT17.pptx
IT-Risks-for-Non-profits-September-18SEPT17.pptxIT-Risks-for-Non-profits-September-18SEPT17.pptx
IT-Risks-for-Non-profits-September-18SEPT17.pptx
 

Recently uploaded

GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 

Recently uploaded (20)

FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 

A6704d01

  • 1. Internet Security and Cyber Crime … or It’s not paranoia if they’re really after you. Sam Lumpkin Senior Security Architect 2AB, Inc. info@2ab.com www.2AB.com 1
  • 2. Integration Platform For Trusted Solutions www.2AB.com Authentication Business Logic Infrastructure Access Control Confidentiality / Message Integrity Business Logic Access Auditing & Decision, Attribute Mgt, Administration Auditing, Policy Mgt
  • 3. How Management Views Their Company’s Security 3
  • 4. How Internal Users View Their Company’s Security 4
  • 5. How Crackers and Script Kiddies View a Company’s Security 5
  • 6. How Bad Can It Be? 6
  • 7. Current Headlines FBI Issues Water Supply Cyberterror Warning Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns. By Kevin Poulsen, www.securityfocus.com 7
  • 8. Current Headlines Microsoft Store Offline After Insecurity Exposed. By Brian McWilliams, Newsbytes Jan 11 2002 5:52PM PT An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data. www.securityfocus.com 8
  • 9. Current Headlines NASA Hacker Gets 21 Months Jason 'Shadow Knight' Diekman cracked JPL, Stanford University and others. By Dick Kelsey, Newsbytes Feb 5 2002 5:28PM PT www.securityfocus.com 9
  • 10. Headlines Lloyd's of London To Offer Hacker Insurance Lloyd's of London, one of world's largest insurance firms, has partnered with San Jose, California- based Counterpane Security, Inc. to offer insurance against business losses due to mischief by hackers. By Lori Enos E-Commerce Times July 10, 2000 10
  • 11. Prediction Denial of service attacks against companies such as Yahoo! and Amazon.com illustrated the susceptibility of even well- established organizations to hacker attacks. Security incidents had not been widely reported prior to the broadband explosion, however, the Gartner Group predicts that by 2004, service providers will witness a 200 percent increase in the cost of responding to security incidents due to broadband connections. Pamela Warren, Nortel/Shasta 11
  • 12. How common is unauthorized system entry? A survey conducted by the Science Applications International Corp. in 1996 found that 40 major corporations reported losing over $800 million to computer break-ins. An FBI survey of 428 government, corporate and university sites found that over 40% reported having been broken into at least once in the last year. One third said that they had been broken into over the Internet. Another survey found that the Pentagon's systems that contain sensitive, but unclassified information, had been accessed via networks illegally 250,000 times and only 150 of the intrusions were detected. The FBI estimates that U.S. businesses loose $138 million every year to hackers. According to the CIA in the past three years government systems have been illegally entered 250,000. from student paper by Jimmy Sproles and Will Byars for a Computer Ethics Course at ETSU 1998 http://www-cs.etsu-tn.edu/gotterbarn/stdntppr/stats.htm 12
  • 13. Point and Click Cracking ÜHacker/Cracker toolkits ÜPassword crackers Ü“Script Kiddies” 13
  • 14. Are “They” in YOUR System? • Most companies do not know. • There is no plan to review logs or scan for unusual activity. • Physical access is not controlled in a consistent manner. • If an intrusion were detected or even suspected, there is no procedure designed to deal with it. 14
  • 15. Who Are “They”? ÜExternal “They”: v“Script Kiddies” (i.e. children) vSkilled crackers vForeign nationals (well funded) vCompetitors or their agents ÜInternal “They”: vDisgruntled employees vContractors, vendors, temps, etc. 15
  • 16. What Can “They” Do? The worst thing “they” can do is to simply quietly gather information and sell it to your competitors, or to other crackers. This can include customer information, trade secrets, payroll information, proposals, and bids. You won’t even know the information has been compromised. 16
  • 17. What Else Can “They” Do? ÜDestroy data ÜAlter data ÜEffect any system controlled by computers. ÜImbed Trojan programs for later exploitation. 17
  • 18. Why should you care? How much is your information worth? What happens if a competitor has access to your pricing, your bids, and your payroll information? How much of you information could you do without and still do business? With the explosion of on-line services, controlling access to personal information is critical! The demands of consumers and the requirements of many government regulations such as US Code Title 47 and HIPAA make it mandatory that information be protected. 18
  • 19. Why Should You Care? Corporate Officers And Directors Need To Take Responsibility For Securing Corporate Information Assets, Report Says Recourse Technologies™ Report, Written by Tech Industry Legal Expert, Finds Evidence That Directors/Officers Can be Held Liable for Loss of Data Due to Hacking. www.recourse.com/download/press/PDF/07.30.01_NOC.pdf 19
  • 20. What About Firewalls? ÜFirewalls help protect the perimeter of your network. (The hard “candy” shell) ÜThe “soft chewy center” needs protecting, too. ÜFirewalls can and are compromised. 20
  • 21. Why Protect an Intranet? ÜAs stated before, firewalls can and are compromised. ÜThe only secure system is a system with no input or output, but what good is it? Ü Attacks also come from within the perimeter from vendors, contractors, and even employees. 21
  • 22. How Do I Begin? It isn’t magic; but don’t start from scratch. Resources: Ø Reference Books Ø The Internet Ø Consultation Ø Off The Shelf Software 22
  • 23. Awareness ÜInitial awareness program vExisting information dissemination methods vSpecial security awareness presentations ÜOngoing awareness (updates, etc.) vSecurity awareness newsletter ÜNew employee/contractor orientation 23
  • 24. Implementation Ü Physical Constraints v Locks § Time Locks § Cipher Locks v “Man Traps” v “Tamper Proof” Containers 24
  • 25. Implementation ÜElectronic Access vProximity Badges vBiometrics (the Oldest Form of Authentication) § Fingerprint § Voice Recognition § Retinal Scan § Face Recognition vMust have human oversight! 25
  • 26. Implementation ÜMonitoring for Adherence to Established Practices and Policies. v Access logs (paper and electronic). v “Two man” accountability. v Visitor sign-in and escort. v Monitoring and review of video surveillance. v Regular audits (internal and external). v Mechanized scans of logs for anomalies. 26
  • 27. Implementation Ü Computer Access Controls. v Logon ID and Password v Digital Certificate/Smart Card v Hard Token (i.e. SecureID) v Biometrics v Integrated with Physical Access Method? v Logging! (with Review) v Regular Audits of Access Lists 27
  • 28. Implementation Ü Access Authorization v Role based v Specific Individual v Dependent on Authentication Mechanism v High Level § Corporate Directory § CORBASec ADO (Access Decision Object) vGranular § CORBA RAD (Resource Access Decision) 28
  • 29. Policy Implementation Ü Integration of Physical and Computer Security Policies and Procedures. Ü Usability Studies. Ü Log, Review, Audit. Ü Consider Outside Certification. Ü Nothing Can Replace the Human Mind and the Human Eye for Monitoring and Review. 29
  • 30. Logging ÜTurn on logging! ÜAllocate headcount to review logs. ÜTrain reviewer(s). ÜPolicy should dictate actions specifically. vShut down intruder(s) immediately or vTrack intruder to determine intent/build case. v Honeypot? 30
  • 31. Enforcement ÜManual vReview system logs vNetwork/platform scans vVarious periodic audits ÜAutomatic vPlatform password restrictions vFirewalls, proxies, etc. vVarious policy enforcement tools 31
  • 32. Policies Ü Must Be Documented Ü Clear, Concise, Well Indexed, Available Ü Consider Online, Web Based Ü Various Products Can “Jump Start” the Creation and Maintenance of Policies Ü Regular Reviews Ü Communication, Communication, Communication! 32
  • 33. Some Resources Ü ICSA White Paper on Computer Crime Statistics v http://www.trusecure.com/html/tspub/whitepapers/ crime.pdf Ü http://www.securityfocus.com/vulns/stats.shtml Ü … but don’t always believe Statistics v http://www.attrition.org/errata/stats.html 33
  • 34. More Resources ÜInformation Security Policies Made Easy – Version 7; by Charles Cresson Wood ÜSecrets & Lies – Digital Security in a Networked World; by Bruce Schneier Ühttp://csrc.nist.gov • http://www.security-policy.org • http://www.msb.edu/faculty/culnanm/ gippshome.html 34
  • 35. Thanks for Listening Sam Lumpkin and Marty Byrne info@2ab.com 2AB, Inc. 205-621-7455 www.2ab.com 35