Uploaded bymudigonda
249 views

A6704d01

This document discusses internet security and cybercrime. It begins with an introduction by Sam Lumpkin of 2AB, Inc and then covers the following topics: how different groups view security (management, users, hackers); examples of security breaches and headlines; how common unauthorized access is; what hackers can do; why companies should care about security; how to begin securing a network; implementing security through awareness, physical controls, electronic access controls, access authorization, policy, and logging; and enforcing security policies.

Embed presentation

Download to read offline
Internet Security and Cyber Crime … or It’s not paranoia if they’re really after you. Sam Lumpkin Senior Security Architect 2AB, Inc. info@2ab.com www.2AB.com 1
Integration Platform For Trusted Solutions www.2AB.com Authentication Business Logic Infrastructure Access Control Confidentiality / Message Integrity Business Logic Access Auditing & Decision, Attribute Mgt, Administration Auditing, Policy Mgt
How Management Views Their Company’s Security 3
How Internal Users View Their Company’s Security 4
How Crackers and Script Kiddies View a Company’s Security 5
How Bad Can It Be? 6
Current Headlines FBI Issues Water Supply Cyberterror Warning Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns. By Kevin Poulsen, www.securityfocus.com 7
Current Headlines Microsoft Store Offline After Insecurity Exposed. By Brian McWilliams, Newsbytes Jan 11 2002 5:52PM PT An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data. www.securityfocus.com 8
Current Headlines NASA Hacker Gets 21 Months Jason 'Shadow Knight' Diekman cracked JPL, Stanford University and others. By Dick Kelsey, Newsbytes Feb 5 2002 5:28PM PT www.securityfocus.com 9
Headlines Lloyd's of London To Offer Hacker Insurance Lloyd's of London, one of world's largest insurance firms, has partnered with San Jose, California- based Counterpane Security, Inc. to offer insurance against business losses due to mischief by hackers. By Lori Enos E-Commerce Times July 10, 2000 10
Prediction Denial of service attacks against companies such as Yahoo! and Amazon.com illustrated the susceptibility of even well- established organizations to hacker attacks. Security incidents had not been widely reported prior to the broadband explosion, however, the Gartner Group predicts that by 2004, service providers will witness a 200 percent increase in the cost of responding to security incidents due to broadband connections. Pamela Warren, Nortel/Shasta 11
How common is unauthorized system entry? A survey conducted by the Science Applications International Corp. in 1996 found that 40 major corporations reported losing over $800 million to computer break-ins. An FBI survey of 428 government, corporate and university sites found that over 40% reported having been broken into at least once in the last year. One third said that they had been broken into over the Internet. Another survey found that the Pentagon's systems that contain sensitive, but unclassified information, had been accessed via networks illegally 250,000 times and only 150 of the intrusions were detected. The FBI estimates that U.S. businesses loose $138 million every year to hackers. According to the CIA in the past three years government systems have been illegally entered 250,000. from student paper by Jimmy Sproles and Will Byars for a Computer Ethics Course at ETSU 1998 http://www-cs.etsu-tn.edu/gotterbarn/stdntppr/stats.htm 12
Point and Click Cracking ÜHacker/Cracker toolkits ÜPassword crackers Ü“Script Kiddies” 13
Are “They” in YOUR System? • Most companies do not know. • There is no plan to review logs or scan for unusual activity. • Physical access is not controlled in a consistent manner. • If an intrusion were detected or even suspected, there is no procedure designed to deal with it. 14
Who Are “They”? ÜExternal “They”: v“Script Kiddies” (i.e. children) vSkilled crackers vForeign nationals (well funded) vCompetitors or their agents ÜInternal “They”: vDisgruntled employees vContractors, vendors, temps, etc. 15
What Can “They” Do? The worst thing “they” can do is to simply quietly gather information and sell it to your competitors, or to other crackers. This can include customer information, trade secrets, payroll information, proposals, and bids. You won’t even know the information has been compromised. 16
What Else Can “They” Do? ÜDestroy data ÜAlter data ÜEffect any system controlled by computers. ÜImbed Trojan programs for later exploitation. 17
Why should you care? How much is your information worth? What happens if a competitor has access to your pricing, your bids, and your payroll information? How much of you information could you do without and still do business? With the explosion of on-line services, controlling access to personal information is critical! The demands of consumers and the requirements of many government regulations such as US Code Title 47 and HIPAA make it mandatory that information be protected. 18
Why Should You Care? Corporate Officers And Directors Need To Take Responsibility For Securing Corporate Information Assets, Report Says Recourse Technologies™ Report, Written by Tech Industry Legal Expert, Finds Evidence That Directors/Officers Can be Held Liable for Loss of Data Due to Hacking. www.recourse.com/download/press/PDF/07.30.01_NOC.pdf 19
What About Firewalls? ÜFirewalls help protect the perimeter of your network. (The hard “candy” shell) ÜThe “soft chewy center” needs protecting, too. ÜFirewalls can and are compromised. 20
Why Protect an Intranet? ÜAs stated before, firewalls can and are compromised. ÜThe only secure system is a system with no input or output, but what good is it? Ü Attacks also come from within the perimeter from vendors, contractors, and even employees. 21
How Do I Begin? It isn’t magic; but don’t start from scratch. Resources: Ø Reference Books Ø The Internet Ø Consultation Ø Off The Shelf Software 22
Awareness ÜInitial awareness program vExisting information dissemination methods vSpecial security awareness presentations ÜOngoing awareness (updates, etc.) vSecurity awareness newsletter ÜNew employee/contractor orientation 23
Implementation Ü Physical Constraints v Locks § Time Locks § Cipher Locks v “Man Traps” v “Tamper Proof” Containers 24
Implementation ÜElectronic Access vProximity Badges vBiometrics (the Oldest Form of Authentication) § Fingerprint § Voice Recognition § Retinal Scan § Face Recognition vMust have human oversight! 25
Implementation ÜMonitoring for Adherence to Established Practices and Policies. v Access logs (paper and electronic). v “Two man” accountability. v Visitor sign-in and escort. v Monitoring and review of video surveillance. v Regular audits (internal and external). v Mechanized scans of logs for anomalies. 26
Implementation Ü Computer Access Controls. v Logon ID and Password v Digital Certificate/Smart Card v Hard Token (i.e. SecureID) v Biometrics v Integrated with Physical Access Method? v Logging! (with Review) v Regular Audits of Access Lists 27
Implementation Ü Access Authorization v Role based v Specific Individual v Dependent on Authentication Mechanism v High Level § Corporate Directory § CORBASec ADO (Access Decision Object) vGranular § CORBA RAD (Resource Access Decision) 28
Policy Implementation Ü Integration of Physical and Computer Security Policies and Procedures. Ü Usability Studies. Ü Log, Review, Audit. Ü Consider Outside Certification. Ü Nothing Can Replace the Human Mind and the Human Eye for Monitoring and Review. 29
Logging ÜTurn on logging! ÜAllocate headcount to review logs. ÜTrain reviewer(s). ÜPolicy should dictate actions specifically. vShut down intruder(s) immediately or vTrack intruder to determine intent/build case. v Honeypot? 30
Enforcement ÜManual vReview system logs vNetwork/platform scans vVarious periodic audits ÜAutomatic vPlatform password restrictions vFirewalls, proxies, etc. vVarious policy enforcement tools 31
Policies Ü Must Be Documented Ü Clear, Concise, Well Indexed, Available Ü Consider Online, Web Based Ü Various Products Can “Jump Start” the Creation and Maintenance of Policies Ü Regular Reviews Ü Communication, Communication, Communication! 32
Some Resources Ü ICSA White Paper on Computer Crime Statistics v http://www.trusecure.com/html/tspub/whitepapers/ crime.pdf Ü http://www.securityfocus.com/vulns/stats.shtml Ü … but don’t always believe Statistics v http://www.attrition.org/errata/stats.html 33
More Resources ÜInformation Security Policies Made Easy – Version 7; by Charles Cresson Wood ÜSecrets & Lies – Digital Security in a Networked World; by Bruce Schneier Ühttp://csrc.nist.gov • http://www.security-policy.org • http://www.msb.edu/faculty/culnanm/ gippshome.html 34
Thanks for Listening Sam Lumpkin and Marty Byrne info@2ab.com 2AB, Inc. 205-621-7455 www.2ab.com 35

More Related Content

PDF
Window of Compromise
bySecurityMetrics
 
PPTX
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
PPTX
Halvorsen on Risk Cyber Webinar
byHalvorsen on Risk
 
PDF
Top Solutions and Tools to Prevent Devastating Malware White Paper
byNetIQ
 
PDF
ghostsinthemachine2
byShane Kite
 
PDF
Securité : Le rapport 2Q de la X-Force
byPatrick Bouillaud
 
PPTX
APT & What we can do TODAY
byJames Ryan, CSyP, EA, PMP
 
PPTX
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
Window of Compromise
bySecurityMetrics
 
Risk Management Practices for PCI DSS 2.0
byUlf Mattsson
 
Halvorsen on Risk Cyber Webinar
byHalvorsen on Risk
 
Top Solutions and Tools to Prevent Devastating Malware White Paper
byNetIQ
 
ghostsinthemachine2
byShane Kite
 
Securité : Le rapport 2Q de la X-Force
byPatrick Bouillaud
 
APT & What we can do TODAY
byJames Ryan, CSyP, EA, PMP
 
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 

What's hot

PPTX
Owasp e crime-london-2012-final
byMarco Morana
 
PDF
Security And Privacy Cagliari 2012
byMarco Morana
 
PDF
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
byGerry Skipwith
 
DOCX
Case study on JP Morgan Chase & Co
byVictor Oluwajuwon Badejo
 
PDF
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
bySource Conference
 
PPTX
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
PDF
Under Lock And Key
byYarko Petriw
 
PDF
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
byWithum
 
PPTX
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
byResilient Systems
 
PDF
Issa chicago next generation tokenization ulf mattsson apr 2011
byUlf Mattsson
 
PDF
Security
byBob Cherry
 
PPTX
One of 2 protect your business
byManagement Insights LLC
 
PPT
Merit Event - Closing the Back Door in Your Systems
bymeritnorthwest
 
PDF
2014 ota databreach3
byMeg Weber
 
PDF
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
PDF
The Threats Posed by Portable Storage Devices
byGFI Software
 
Owasp e crime-london-2012-final
byMarco Morana
 
Security And Privacy Cagliari 2012
byMarco Morana
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
byGerry Skipwith
 
Case study on JP Morgan Chase & Co
byVictor Oluwajuwon Badejo
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
bySource Conference
 
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
Under Lock And Key
byYarko Petriw
 
Webinar: Understanding the Cyber Threat Landscape for Nonprofits
byWithum
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
byResilient Systems
 
Issa chicago next generation tokenization ulf mattsson apr 2011
byUlf Mattsson
 
Security
byBob Cherry
 
One of 2 protect your business
byManagement Insights LLC
 
Merit Event - Closing the Back Door in Your Systems
bymeritnorthwest
 
2014 ota databreach3
byMeg Weber
 
ISACA Los Angeles 2010 Compliance - Ulf Mattsson
byUlf Mattsson
 
The Threats Posed by Portable Storage Devices
byGFI Software
 

Viewers also liked

PDF
13 listrik-statis
byBagus Arif Wicaksono
 
PPT
Hubble Telescope Pictures
byedinakovacs12
 
PDF
Bbvl 03
bystefvanloo
 
PDF
Proglin
byBagus Arif Wicaksono
 
PDF
08 momentum
byBagus Arif Wicaksono
 
PDF
Bbvl 08
bystefvanloo
 
PPTX
Fin man 1 the introduction
byJimmi Sinton
 
PDF
Bbvl 07
bystefvanloo
 
PPTX
Phun with physics
byeawalker17
 
PDF
Bbvl 15
bystefvanloo
 
PDF
Bbvl 05
bystefvanloo
 
PPTX
Awd power point
byWiseGuys
 
PDF
02 gerak-lurus
byBagus Arif Wicaksono
 
PDF
17 optika-geometri
byBagus Arif Wicaksono
 
PPTX
Fin man 7 receivable management
byJimmi Sinton
 
PDF
14 listrik-dinamis
byBagus Arif Wicaksono
 
PPTX
Fin man 5 break even point and leverage analysis
byJimmi Sinton
 
PPTX
Fin man 6 financial leverage
byJimmi Sinton
 
13 listrik-statis
byBagus Arif Wicaksono
 
Hubble Telescope Pictures
byedinakovacs12
 
Bbvl 03
bystefvanloo
 
Proglin
byBagus Arif Wicaksono
 
08 momentum
byBagus Arif Wicaksono
 
Bbvl 08
bystefvanloo
 
Fin man 1 the introduction
byJimmi Sinton
 
Bbvl 07
bystefvanloo
 
Phun with physics
byeawalker17
 
Bbvl 15
bystefvanloo
 
Bbvl 05
bystefvanloo
 
Awd power point
byWiseGuys
 
02 gerak-lurus
byBagus Arif Wicaksono
 
17 optika-geometri
byBagus Arif Wicaksono
 
Fin man 7 receivable management
byJimmi Sinton
 
14 listrik-dinamis
byBagus Arif Wicaksono
 
Fin man 5 break even point and leverage analysis
byJimmi Sinton
 
Fin man 6 financial leverage
byJimmi Sinton
 

Similar to A6704d01

KEY
Mis
bymisecho
 
KEY
Mis
bymisecho
 
KEY
Chapter 10, part 1
bymisecho
 
PDF
The Cybersecurity Mess
bySimson Garfinkel
 
PPTX
2013 PMA Business Security Insights
bygotopaz
 
PPTX
LIS3353 SP12 Week 9
byAmanda Case
 
PPT
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
PPTX
Security_Awareness_Primer.pptx
byFaith Shimba
 
PPTX
Management Information System Presentation
byAaDi Malik
 
PPTX
Information Security
bysteffiann88
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PPT
Cyberterrorism
byVarshil Patel
 
PPTX
It security the condensed version
byBrian Pichman
 
PPTX
How To Secure MIS
byAaDi Malik
 
PDF
Why My E Identity Needs Protection
byecarrow
 
PPT
Ch10
byAli Khawaja
 
PPT
Edith Turuka: Cyber-Security, An Eye Opener to the Society
byHamisi Kibonde
 
PPT
Hackers
byMohamed Boudchiche
 
PPT
MIS part 4_CH 11.ppt
byEndAlk15
 
PPTX
Computer Security risks Shelly
byAdeel Khurram
 
Mis
bymisecho
 
Mis
bymisecho
 
Chapter 10, part 1
bymisecho
 
The Cybersecurity Mess
bySimson Garfinkel
 
2013 PMA Business Security Insights
bygotopaz
 
LIS3353 SP12 Week 9
byAmanda Case
 
Rainer+3e Student Pp Ts Ch03
bykbzdox ivanovich
 
Security_Awareness_Primer.pptx
byFaith Shimba
 
Management Information System Presentation
byAaDi Malik
 
Information Security
bysteffiann88
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
Cyberterrorism
byVarshil Patel
 
It security the condensed version
byBrian Pichman
 
How To Secure MIS
byAaDi Malik
 
Why My E Identity Needs Protection
byecarrow
 
Ch10
byAli Khawaja
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
byHamisi Kibonde
 
Hackers
byMohamed Boudchiche
 
MIS part 4_CH 11.ppt
byEndAlk15
 
Computer Security risks Shelly
byAdeel Khurram
 

Recently uploaded

PPTX
West Hatch High School: Year 9 Art Course
byWestHatch
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
PPTX
West Hatch High School -- GCSE Geography
byWestHatch
 
PPTX
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
PPTX
YSPH VMOC Special Report - Measles - The Americas 1-25-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
PDF
Beak Modifications by Dr. Ramzan Virani pptx.pdf
byDr. Ramzan Virani
 
PDF
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 
PDF
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
PPTX
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
PDF
West Hatch High School - GCSE French Specification
byWestHatch
 
PPTX
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
PPTX
Metabolism ( BIOCHEMISTRY & CLINICAL PATHOLOGY )
byBushraDeshpande
 
PDF
Risks and opportunities of artificial intelligence in education: A critical view
byYannis
 
PPTX
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
PPTX
TLE 8 W1 Q4 D3.pptx ELECTRICAL SYMBOLS ELECTRONIC
byraquelanaaltres1
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PDF
Information about Presentation strategies
bymansivaja18126
 
PPTX
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
PPTX
The night at deoli - Ruskin bond's story of first love
byrajibhammar4
 
West Hatch High School: Year 9 Art Course
byWestHatch
 
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
West Hatch High School -- GCSE Geography
byWestHatch
 
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
YSPH VMOC Special Report - Measles - The Americas 1-25-2026
byYale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
Beak Modifications by Dr. Ramzan Virani pptx.pdf
byDr. Ramzan Virani
 
Darwinism: Theory of Natural Selection and Origin of Species
byIPGDCWA,NAMPALLY
 
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
West Hatch High School - GCSE French Specification
byWestHatch
 
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
Metabolism ( BIOCHEMISTRY & CLINICAL PATHOLOGY )
byBushraDeshpande
 
Risks and opportunities of artificial intelligence in education: A critical view
byYannis
 
How Physician Assistants in the USA Earn CME Credits Online.pptx
byCME4Life
 
TLE 8 W1 Q4 D3.pptx ELECTRICAL SYMBOLS ELECTRONIC
byraquelanaaltres1
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
Information about Presentation strategies
bymansivaja18126
 
PREVENTIVE PEDIATRICS.pptx
byBANDITA PATRA
 
The night at deoli - Ruskin bond's story of first love
byrajibhammar4
 

A6704d01

  • 1.
    Internet Security andCyber Crime … or It’s not paranoia if they’re really after you. Sam Lumpkin Senior Security Architect 2AB, Inc. info@2ab.com www.2AB.com 1
  • 2.
    Integration Platform For Trusted Solutions www.2AB.com Authentication Business Logic Infrastructure Access Control Confidentiality / Message Integrity Business Logic Access Auditing & Decision, Attribute Mgt, Administration Auditing, Policy Mgt
  • 3.
    How Management ViewsTheir Company’s Security 3
  • 4.
    How Internal UsersView Their Company’s Security 4
  • 5.
    How Crackers andScript Kiddies View a Company’s Security 5
  • 6.
    How Bad CanIt Be? 6
  • 7.
    Current Headlines FBI IssuesWater Supply Cyberterror Warning Al-Qaida terrorists have scoured the Web for information on the computerized systems that control water distribution and treatment, NIPC warns. By Kevin Poulsen, www.securityfocus.com 7
  • 8.
    Current Headlines Microsoft StoreOffline After Insecurity Exposed. By Brian McWilliams, Newsbytes Jan 11 2002 5:52PM PT An online store operated by Microsoft Corp. [NASDAQ: MSFT] for software developers was unavailable today following reports that a security flaw gave visitors the ability to take control of the site, including access of customer data. www.securityfocus.com 8
  • 9.
    Current Headlines NASA HackerGets 21 Months Jason 'Shadow Knight' Diekman cracked JPL, Stanford University and others. By Dick Kelsey, Newsbytes Feb 5 2002 5:28PM PT www.securityfocus.com 9
  • 10.
    Headlines Lloyd's of LondonTo Offer Hacker Insurance Lloyd's of London, one of world's largest insurance firms, has partnered with San Jose, California- based Counterpane Security, Inc. to offer insurance against business losses due to mischief by hackers. By Lori Enos E-Commerce Times July 10, 2000 10
  • 11.
    Prediction Denial ofservice attacks against companies such as Yahoo! and Amazon.com illustrated the susceptibility of even well- established organizations to hacker attacks. Security incidents had not been widely reported prior to the broadband explosion, however, the Gartner Group predicts that by 2004, service providers will witness a 200 percent increase in the cost of responding to security incidents due to broadband connections. Pamela Warren, Nortel/Shasta 11
  • 12.
    How common isunauthorized system entry? A survey conducted by the Science Applications International Corp. in 1996 found that 40 major corporations reported losing over $800 million to computer break-ins. An FBI survey of 428 government, corporate and university sites found that over 40% reported having been broken into at least once in the last year. One third said that they had been broken into over the Internet. Another survey found that the Pentagon's systems that contain sensitive, but unclassified information, had been accessed via networks illegally 250,000 times and only 150 of the intrusions were detected. The FBI estimates that U.S. businesses loose $138 million every year to hackers. According to the CIA in the past three years government systems have been illegally entered 250,000. from student paper by Jimmy Sproles and Will Byars for a Computer Ethics Course at ETSU 1998 http://www-cs.etsu-tn.edu/gotterbarn/stdntppr/stats.htm 12
  • 13.
    Point and ClickCracking ÜHacker/Cracker toolkits ÜPassword crackers Ü“Script Kiddies” 13
  • 14.
    Are “They” inYOUR System? • Most companies do not know. • There is no plan to review logs or scan for unusual activity. • Physical access is not controlled in a consistent manner. • If an intrusion were detected or even suspected, there is no procedure designed to deal with it. 14
  • 15.
    Who Are “They”? ÜExternal“They”: v“Script Kiddies” (i.e. children) vSkilled crackers vForeign nationals (well funded) vCompetitors or their agents ÜInternal “They”: vDisgruntled employees vContractors, vendors, temps, etc. 15
  • 16.
    What Can “They”Do? The worst thing “they” can do is to simply quietly gather information and sell it to your competitors, or to other crackers. This can include customer information, trade secrets, payroll information, proposals, and bids. You won’t even know the information has been compromised. 16
  • 17.
    What Else Can“They” Do? ÜDestroy data ÜAlter data ÜEffect any system controlled by computers. ÜImbed Trojan programs for later exploitation. 17
  • 18.
    Why should youcare? How much is your information worth? What happens if a competitor has access to your pricing, your bids, and your payroll information? How much of you information could you do without and still do business? With the explosion of on-line services, controlling access to personal information is critical! The demands of consumers and the requirements of many government regulations such as US Code Title 47 and HIPAA make it mandatory that information be protected. 18
  • 19.
    Why Should YouCare? Corporate Officers And Directors Need To Take Responsibility For Securing Corporate Information Assets, Report Says Recourse Technologies™ Report, Written by Tech Industry Legal Expert, Finds Evidence That Directors/Officers Can be Held Liable for Loss of Data Due to Hacking. www.recourse.com/download/press/PDF/07.30.01_NOC.pdf 19
  • 20.
    What About Firewalls? ÜFirewallshelp protect the perimeter of your network. (The hard “candy” shell) ÜThe “soft chewy center” needs protecting, too. ÜFirewalls can and are compromised. 20
  • 21.
    Why Protect anIntranet? ÜAs stated before, firewalls can and are compromised. ÜThe only secure system is a system with no input or output, but what good is it? Ü Attacks also come from within the perimeter from vendors, contractors, and even employees. 21
  • 22.
    How Do IBegin? It isn’t magic; but don’t start from scratch. Resources: Ø Reference Books Ø The Internet Ø Consultation Ø Off The Shelf Software 22
  • 23.
    Awareness ÜInitial awareness program vExisting information dissemination methods vSpecial security awareness presentations ÜOngoing awareness (updates, etc.) vSecurity awareness newsletter ÜNew employee/contractor orientation 23
  • 24.
    Implementation Ü Physical Constraints v Locks § Time Locks § Cipher Locks v “Man Traps” v “Tamper Proof” Containers 24
  • 25.
    Implementation ÜElectronic Access vProximity Badges vBiometrics (the Oldest Form of Authentication) § Fingerprint § Voice Recognition § Retinal Scan § Face Recognition vMust have human oversight! 25
  • 26.
    Implementation ÜMonitoring for Adherenceto Established Practices and Policies. v Access logs (paper and electronic). v “Two man” accountability. v Visitor sign-in and escort. v Monitoring and review of video surveillance. v Regular audits (internal and external). v Mechanized scans of logs for anomalies. 26
  • 27.
    Implementation Ü Computer AccessControls. v Logon ID and Password v Digital Certificate/Smart Card v Hard Token (i.e. SecureID) v Biometrics v Integrated with Physical Access Method? v Logging! (with Review) v Regular Audits of Access Lists 27
  • 28.
    Implementation Ü Access Authorization v Role based v Specific Individual v Dependent on Authentication Mechanism v High Level § Corporate Directory § CORBASec ADO (Access Decision Object) vGranular § CORBA RAD (Resource Access Decision) 28
  • 29.
    Policy Implementation Ü Integrationof Physical and Computer Security Policies and Procedures. Ü Usability Studies. Ü Log, Review, Audit. Ü Consider Outside Certification. Ü Nothing Can Replace the Human Mind and the Human Eye for Monitoring and Review. 29
  • 30.
    Logging ÜTurn on logging! ÜAllocateheadcount to review logs. ÜTrain reviewer(s). ÜPolicy should dictate actions specifically. vShut down intruder(s) immediately or vTrack intruder to determine intent/build case. v Honeypot? 30
  • 31.
    Enforcement ÜManual vReviewsystem logs vNetwork/platform scans vVarious periodic audits ÜAutomatic vPlatform password restrictions vFirewalls, proxies, etc. vVarious policy enforcement tools 31
  • 32.
    Policies Ü Must BeDocumented Ü Clear, Concise, Well Indexed, Available Ü Consider Online, Web Based Ü Various Products Can “Jump Start” the Creation and Maintenance of Policies Ü Regular Reviews Ü Communication, Communication, Communication! 32
  • 33.
    Some Resources Ü ICSAWhite Paper on Computer Crime Statistics v http://www.trusecure.com/html/tspub/whitepapers/ crime.pdf Ü http://www.securityfocus.com/vulns/stats.shtml Ü … but don’t always believe Statistics v http://www.attrition.org/errata/stats.html 33
  • 34.
    More Resources ÜInformation SecurityPolicies Made Easy – Version 7; by Charles Cresson Wood ÜSecrets & Lies – Digital Security in a Networked World; by Bruce Schneier Ühttp://csrc.nist.gov • http://www.security-policy.org • http://www.msb.edu/faculty/culnanm/ gippshome.html 34
  • 35.
    Thanks for Listening Sam Lumpkin and Marty Byrne info@2ab.com 2AB, Inc. 205-621-7455 www.2ab.com 35