Uploaded byscottfrost
PPT, PDF533 views

College Presentation

The document provides an introduction to information security concepts including the CIA triad of confidentiality, integrity and availability. It discusses threats, vulnerabilities and risks and the importance of risk management. Key security principles are covered such as defense in depth, metrics, and the evolution of security risks and regulations.

Embed presentation

Download to read offline
The C, I, A’s of Security Introduction to Security Presentation Given To Students in The Master of Information Strategy, System and Technology Curriculum at Muskingum College Scott Frost CISSP, CISM, CISA The Polaris Consulting Group, LLC.
Honesty on the Internet 12 Sept 2009 Copyright The Polaris Consulting Group
CIA – the three legged tripod Integrity Confidentiality Availability 12 Sept 2009 Copyright The Polaris Consulting Group
Confidentiality Confidentiality ensures that computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By “access,” we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy” Security in Computing, Third Edition pg 10 12 Sept 2009 Copyright The Polaris Consulting Group
Integrity The quality of correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. Or more simply put, “The data hasn’t been changed” 12 Sept 2009 Copyright The Polaris Consulting Group
Availability The degree to which data and the services or systems that provide the data are working acceptably 12 Sept 2009 Copyright The Polaris Consulting Group
CIA – How they work together Confidentiality Integrity Availability Secure 12 Sept 2009 Copyright The Polaris Consulting Group
Other Key Terms Possession - The ownership or control of information, as distinct from confidentiality. Authenticity - The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named. Utility - Usefulness; fitness for a particular use. Non-repudiation – Sender can’t deny sending and receiver can’t deny receiving (Think digital signatures) 12 Sept 2009 Copyright The Polaris Consulting Group
Threats, Vulnerabilities, and Risks Oh My! Threats – something that has the potential to cause harm or loss Vulnerabilities – weakness in a security system Controls – protective measure that removes or reduces a vulnerability Risks – “The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat” (1) 12 Sept 2009 Copyright The Polaris Consulting Group
Examples of Threats Acts of God – forces of nature, fire, flood, earthquake Technical Failures – Hardware or software with errors or flaws. (i.e. - Intel FDIV) Management Failures – Failure to upgrade or update, Inappropriate configuration. (AV updates, mis-configured firewall) 12 Sept 2009 Copyright The Polaris Consulting Group
Examples of Vulnerabilities Weak or default passwords Un-patched system Design flaw Code flaw (buffer overflows, input validation, etc.) Inadequate building construction 12 Sept 2009 Copyright The Polaris Consulting Group
Examples of Controls Security Guards and badges Required vacations for key personnel Internet versus intranet zones Firewalls 12 Sept 2009 Copyright The Polaris Consulting Group
What is Risk? Mathmatical Definition of Risk: Risk = Threat x Vulnerability x Cost What does this mean? Let’s look at a few examples: Earthquake Computer Virus 12 Sept 2009 Copyright The Polaris Consulting Group
Risk Management The CISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." 12 Sept 2009 Copyright The Polaris Consulting Group
Key Components of Risk Management Identification of assets Identification of vulnerabilities and threats to those assets Controls to mitigate risks Aid in the prioritization of scarce resources Is this a one time process or iterative? Why? 12 Sept 2009 Copyright The Polaris Consulting Group
Identification of Assets How do you find them? 12 Sept 2009 Copyright The Polaris Consulting Group Company provided inventory (generally not so good) Internal Scans (will catch a lot but only if the asset is connected to the network) Walk around Talk to employees Visit data center
Prioritization of Risks Tuesday at noon EDT a new Top Cyber Risks report will be released summarizing current data from the largest network of intrusion prevention sensors and the largest network of vulnerability testers (millions of systems). It shows that the top two cyber risks are far more critical than previously thought, and at the same time that enterprises are acting very slowly to mitigate the risks. In fact the data show that enterprises are investing in less important risks and skimping on the important ones. This is the first time a threat report has been based on a combination of these two data sources on a global scale. Very cool because the findings are authoritative (and were vetted by the Storm Center folks and SANS' top instructors). If you have wanted to get your organization to fix the key problems, you'll find this report to be a powerful tool to move executive decision making forward.  If you are a press person and want to be included in the press conference call, please email [email_address] and tell me which publication. SANS NewsBites Vol. 11 Num. 72 12 Sept 2009 Copyright The Polaris Consulting Group
Risk Management – Business Choices Accept the risk Mitigate the Risk Transfer the risk Deny the risk 12 Sept 2009 Copyright The Polaris Consulting Group
What Brought all of this about? 1980’s – Introduction of personal computers Movies such as “War Games” Matthew Broderick Hacking is cool and geeky 1989 – The Cockoo’s Egg – Clifford Stoll $0.75 accounting error leads to one of the first documented cases of hacking 1990’s Birth of Netscape Back Orifice Kevin Mitnick Early 2000 – Code Red, Nimba, Slammer, identity theft Mid to late 2000’s – Organized crime and governments 12 Sept 2009 Copyright The Polaris Consulting Group
WHY???? Personal challenge Follow the money Early hacking was to avoid long distance phone calls Later hacking was to break into banks and steal money Now compromising personal information (credit cards, SSN’s, DOB, etc.) are sold in bulk for credit card and other fraud Control of Assets – botnets Corporate and Government Secrets Relatively Anonymous 12 Sept 2009 Copyright The Polaris Consulting Group
Evolution of Laws and Regulations 1980’s – Start of Federal laws on computer activity Federal Computer Fraud and Abuse Act 1990’s – HIPAA “Health Insurance Portability And Accountability Act” – Health sector Gramm-Leach-Bliley – Financial Sector 2000’s – Federal Information Security Act (FISMA) – Government regulations Sarbanes-Oxley – Management on the hook for security of financial systems PCI DSS Security Breach Notification Laws 12 Sept 2009 Copyright The Polaris Consulting Group
Security Assessments Required by PCI-DSS, GLBA, HIPAA, etc. Main Purpose Ensure that there are sufficient controls to prevent unauthorized data disclosure Likely Result? Long list of vulnerabilities that when exploited resulted in unauthorized data disclosure Now we are back into Risk Management 12 Sept 2009 Copyright The Polaris Consulting Group
Security Assessments Management Sponsor Liability protection  Scope What is the asset to be protected? Hint: Look for databases, customer data, financial data, corporate secrets, etc. Should include technical and human vulnerabilities (Kevin Mitnick) Should handle false positives and false negatives Risk assessment results that identify the assets, threats, vulnerabilities, etc. Prioritized list of recommendations 12 Sept 2009 Copyright The Polaris Consulting Group
Security Assessments Final Step? 12 Sept 2009 Copyright The Polaris Consulting Group Schedule another One! Why? Because things change.
Fundamentals of a Good Security Program Management buy in Security Framework (SANS CAG, ISO 27001/2, ITIL People, Technology, Process Set security goals and develop a WAITT (We Are In This Together) philosophy Risk Prioritization Metrics Defense in Depth – Recognition that one layer is not sufficient Proactive 12 Sept 2009 Copyright The Polaris Consulting Group
SANS Consensus Audit Guidelines Critical Controls Subject to Automated Collection, Measurement, and Validation: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Wireless Device Control Data Loss Prevention Additional Critical Controls (not directly supported by automated measurement and validation): Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps 12 Sept 2009 Copyright The Polaris Consulting Group
Security is more than a checklist Proactive security Honeypots, Honeyports Good Trojan horses and call home viruses Think like a hacker Use Twitter Ongoing scan Monitor log files 12 Sept 2009 Copyright The Polaris Consulting Group
Historical Defense in Depth 12 Sept 2009 Copyright The Polaris Consulting Group
Modern Defense in Depth? 12 Sept 2009 Copyright The Polaris Consulting Group Fire Network Access Control Firewall Network Design Guards and badges Log Monitoring Encryption DMZ
Metrics You can't manage what you don't measure. It is an old management adage that is accurate today. Unless you measure something you don't know if it is getting better or worse. You can't manage for improvement if you don't measure to see what is getting better and what isn't. By F. John Reh , About.com 12 Sept 2009 Copyright The Polaris Consulting Group
Wrapping Things Up Evolution of security risks External versus Internal – Where’s the greater threat? Costs of doing nothing 12 Sept 2009 Copyright The Polaris Consulting Group
The Evolution of Security Risks TOP OF THE NEWS  --Cyber Criminals Targeting Smaller US Firms; Get Millions (August 25, 2009) Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews [Guest Editor's Note (Rob Lee): We are seeing a lot of these. There are three contributing reasons they are growing so fast: (1) Low threat of arrest in these "safe havens," (2) High payout for the crime, and (3) Victim sharing data on these attacks has been minimal. The attacks are amazingly simple and the amount of money taken is large.  The firms do not know how to protect themselves.  In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards.   Small businesses are being affected greatly by poor security practices.  It isn't a risk issue.  It is a survival one.] 12 Sept 2009 Copyright The Polaris Consulting Group
External versus Internal – Where’s the greater threat? 87% of FBI respondents in 2005 survey indicated that they had some form of security incident 73% of threat is internal 23% is external (Where did the other 4% go to?) Average internal threat costs the company 2.7 million Average external threat costs the company $57,000 12 Sept 2009 Copyright The Polaris Consulting Group
Costs of doing nothing (or not doing it right) The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. ( http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222 ) T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate The retailers' second-quarter earnings show that the company had to absorb $118 million in that quarter alone. That's added to earlier breach costs of $17 million. ( http://www.informationweek.com/news/global-cio/compliance/showArticle.jhtml?articleID=201800259) 12 Sept 2009 Copyright The Polaris Consulting Group
SANS Top 20 Client-side Vulnerabilities in: C1. Web Browsers C2. Office Software C3. Email Clients C4. Media Players Server-side Vulnerabilities in: S1. Web Applications S2. Windows Services S3. Unix and Mac OS Services S4. Backup Software S5. Anti-virus Software S6. Management Servers S7. Database Software 12 Sept 2009 Copyright The Polaris Consulting Group Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks
Top 10 Trends (per SANS) Encrypting mobile devices Theft of mobile devices Additional laws Cyber attacks to increase Cell phone worms VOIP attacks Spyware 0-Day exploits Rootkit bots Network Access Control will become more important 12 Sept 2009 Copyright The Polaris Consulting Group
Security Web Sites Just a few sans.org - SysAdmin, Audit, Network, Security cisecurity.org - Center for Internet Security www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml - NSA Security Configuration Guides csrc.nist.gov - NIST Computer Security Division 12 Sept 2009 Copyright The Polaris Consulting Group
My Contact Info LinkedIn: Scott Frost Email: [email_address] Web Site: http://thepolarisconsultinggroup.com 12 Sept 2009 Copyright The Polaris Consulting Group

More Related Content

PDF
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
byInno Eroraha [NetSecurity]
 
PPSX
BCP Expo Presentation and company overview final ver. 1.0
byJulian Samuels
 
PPTX
Cybersecurity Risks for Businesses
byAlex Rudie
 
PPT
Cyber Insurance Temp
byRohan Sehgal
 
PDF
Cyber Security Tips and Resources for Financial Institutions
byColleen Beck-Domanico
 
PPSX
BCP Expo Presentation and company overview final ver. 1.0
byJulian Samuels
 
PPTX
Protecting the Crown Jewels – Enlist the Beefeaters
byJack Nichelson
 
PPTX
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
byPhil Huggins FBCS CITP
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
byInno Eroraha [NetSecurity]
 
BCP Expo Presentation and company overview final ver. 1.0
byJulian Samuels
 
Cybersecurity Risks for Businesses
byAlex Rudie
 
Cyber Insurance Temp
byRohan Sehgal
 
Cyber Security Tips and Resources for Financial Institutions
byColleen Beck-Domanico
 
BCP Expo Presentation and company overview final ver. 1.0
byJulian Samuels
 
Protecting the Crown Jewels – Enlist the Beefeaters
byJack Nichelson
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
byPhil Huggins FBCS CITP
 

What's hot

PPTX
Cyber security
byVaibhav Jain
 
PDF
White paper cyber risk appetite defining and understanding risk in the moder...
bybalejandre
 
PDF
SEC Alert
byJohn Apkarian
 
PPTX
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
byCBIZ, Inc.
 
PPT
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
PDF
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
PPTX
Detection of Anomalous Behavior
byCapgemini
 
PPT
Shaping Your Future in Banking Cybersecurity
byDawn Yankeelov
 
PDF
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
PPTX
Ci2 cyber insurance presentation
byEthan S. Burger
 
PDF
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
PDF
Security Feature Cover Story
byTorrid Networks Private Limited
 
PDF
Prevent & Protect
byMike McMillan
 
PDF
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
byDFLABS SRL
 
PDF
br-security-connected-top-5-trends
byChristopher Bennett
 
PDF
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
PPTX
Cloud Computing Legal for Pennsylvania Bar Association
byAmy Larrimore
 
PDF
Cybersecurity and The Board
byPaul Melson
 
PDF
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
byPhil Agcaoili
 
Cyber security
byVaibhav Jain
 
White paper cyber risk appetite defining and understanding risk in the moder...
bybalejandre
 
SEC Alert
byJohn Apkarian
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
byCBIZ, Inc.
 
Statewide Insurance Brokers - Cyber Insurance 101
byStatewide Insurance Brokers
 
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
Detection of Anomalous Behavior
byCapgemini
 
Shaping Your Future in Banking Cybersecurity
byDawn Yankeelov
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
Ci2 cyber insurance presentation
byEthan S. Burger
 
Managed Security For A Not So Secure World Wp090991
byErik Ginalick
 
Security Feature Cover Story
byTorrid Networks Private Limited
 
Prevent & Protect
byMike McMillan
 
Using the IncMan Suite to Manage the Reporting of Cyber Security Risks and In...
byDFLABS SRL
 
br-security-connected-top-5-trends
byChristopher Bennett
 
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
Cloud Computing Legal for Pennsylvania Bar Association
byAmy Larrimore
 
Cybersecurity and The Board
byPaul Melson
 
2011 FCC CSRIC WG2A Cyber Security Best Practices Final Report
byPhil Agcaoili
 

Viewers also liked

PPT
BICC Conceptual Overview
byAndrew Marks
 
PDF
Cv Dec 2011
byAlice Viana
 
DOC
TUGAS MANAJEMEN KEUANGAN
bykecepirit
 
PDF
CSP Project Development Conference and Expo
byCSP Today
 
PDF
2nd Thin Film Summit US Brochure
byCSP Today
 
PDF
Final
byCSP Today
 
PDF
CSP Yield Optimization Conference and Expo
byCSP Today
 
PPT
KEUANGAN
bykecepirit
 
PDF
4th International Concentrated Solar Thermal Power Summit
byCSP Today
 
PPSX
Drill Overview 2009
bySsonya
 
PPTX
Aagile business analytics - how a new generation bi is reducing risk and incr...
byAndrew Marks
 
PPTX
Why Are African Americans Over Represented on Twitter?
bykenya28
 
PPT
01 This Month In Real Estate Canada 2010 (1)
byChristopher Newell
 
XLS
Analisis Laporan Keuangan PT. Panasia Filament Intl.Tbk
bykecepirit
 
PPT
NEW UNIFORM
bykecepirit
 
KEY
test
byguest83b246
 
DOC
Tugas Manajemen Keuangan Kel 4
bykecepirit
 
BICC Conceptual Overview
byAndrew Marks
 
Cv Dec 2011
byAlice Viana
 
TUGAS MANAJEMEN KEUANGAN
bykecepirit
 
CSP Project Development Conference and Expo
byCSP Today
 
2nd Thin Film Summit US Brochure
byCSP Today
 
Final
byCSP Today
 
CSP Yield Optimization Conference and Expo
byCSP Today
 
KEUANGAN
bykecepirit
 
4th International Concentrated Solar Thermal Power Summit
byCSP Today
 
Drill Overview 2009
bySsonya
 
Aagile business analytics - how a new generation bi is reducing risk and incr...
byAndrew Marks
 
Why Are African Americans Over Represented on Twitter?
bykenya28
 
01 This Month In Real Estate Canada 2010 (1)
byChristopher Newell
 
Analisis Laporan Keuangan PT. Panasia Filament Intl.Tbk
bykecepirit
 
NEW UNIFORM
bykecepirit
 
test
byguest83b246
 
Tugas Manajemen Keuangan Kel 4
bykecepirit
 

Similar to College Presentation

PDF
Course Information Security Lecture 1.pdf
bySamahAdel16
 
PPT
Information System Security(lecture 1)
byAli Habeeb
 
PDF
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
PPTX
Cyber-Security-Unit-1.pptx
byTikdiPatel
 
PPT
Iss lecture 1
byAli Habeeb
 
PPTX
Advanced Operating System Principles.pptx
byyuvapapa26
 
PPTX
Information Security Lecture One for Basic
byhassankhan978073
 
PPTX
Date security introduction
byLeo Mark Villar
 
PPTX
Information security for business majors
byPaul Melson
 
PDF
OSB50: Operational Security: State of the Union
byIvanti
 
PPTX
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
PPTX
ke-1.pptx
byAhmadNaswin
 
PPT
InfoSecConcepts.ppt
byMobileAntitheft
 
PPTX
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PDF
Management Information Systems
bymsd11
 
PPT
Class4 Security
byRMS
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PPTX
IT Security & Risk
byTanujpandey5
 
PPSX
The myth of secure computing; management information system; MIS
bySaazan Shrestha
 
Course Information Security Lecture 1.pdf
bySamahAdel16
 
Information System Security(lecture 1)
byAli Habeeb
 
CYBER SECURITY WHAT IS IT AND WHAT YOU NEED TO KNOW.pdf
byJenna Murray
 
Cyber-Security-Unit-1.pptx
byTikdiPatel
 
Iss lecture 1
byAli Habeeb
 
Advanced Operating System Principles.pptx
byyuvapapa26
 
Information Security Lecture One for Basic
byhassankhan978073
 
Date security introduction
byLeo Mark Villar
 
Information security for business majors
byPaul Melson
 
OSB50: Operational Security: State of the Union
byIvanti
 
ke-1.pptx454545454545550515545456486498498498
byAhmadNaswin
 
ke-1.pptx
byAhmadNaswin
 
InfoSecConcepts.ppt
byMobileAntitheft
 
ke-1 - Copy cat massunu rahing.pptxdfdff
byAhmadNaswin
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
Management Information Systems
bymsd11
 
Class4 Security
byRMS
 
What is Information Security and why you should care ...
byJames Mulhern
 
IT Security & Risk
byTanujpandey5
 
The myth of secure computing; management information system; MIS
bySaazan Shrestha
 

College Presentation

  • 1.
    The C, I,A’s of Security Introduction to Security Presentation Given To Students in The Master of Information Strategy, System and Technology Curriculum at Muskingum College Scott Frost CISSP, CISM, CISA The Polaris Consulting Group, LLC.
  • 2.
    Honesty on theInternet 12 Sept 2009 Copyright The Polaris Consulting Group
  • 3.
    CIA – thethree legged tripod Integrity Confidentiality Availability 12 Sept 2009 Copyright The Polaris Consulting Group
  • 4.
    Confidentiality Confidentiality ensuresthat computer-related assets are accessed only by authorized parties. That is, only those who should have access to something will actually get that access. By “access,” we mean not only reading but also viewing, printing, or simply knowing that a particular asset exists. Confidentiality is sometimes called secrecy or privacy” Security in Computing, Third Edition pg 10 12 Sept 2009 Copyright The Polaris Consulting Group
  • 5.
    Integrity The qualityof correctness, completeness, wholeness, soundness and compliance with the intention of the creators of the data. Or more simply put, “The data hasn’t been changed” 12 Sept 2009 Copyright The Polaris Consulting Group
  • 6.
    Availability The degreeto which data and the services or systems that provide the data are working acceptably 12 Sept 2009 Copyright The Polaris Consulting Group
  • 7.
    CIA – Howthey work together Confidentiality Integrity Availability Secure 12 Sept 2009 Copyright The Polaris Consulting Group
  • 8.
    Other Key TermsPossession - The ownership or control of information, as distinct from confidentiality. Authenticity - The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named. Utility - Usefulness; fitness for a particular use. Non-repudiation – Sender can’t deny sending and receiver can’t deny receiving (Think digital signatures) 12 Sept 2009 Copyright The Polaris Consulting Group
  • 9.
    Threats, Vulnerabilities, andRisks Oh My! Threats – something that has the potential to cause harm or loss Vulnerabilities – weakness in a security system Controls – protective measure that removes or reduces a vulnerability Risks – “The potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss or damage to the assets. The impact or relative severity of the risk is proportional to the business value of the loss/damage and to the estimated frequency of the threat” (1) 12 Sept 2009 Copyright The Polaris Consulting Group
  • 10.
    Examples of ThreatsActs of God – forces of nature, fire, flood, earthquake Technical Failures – Hardware or software with errors or flaws. (i.e. - Intel FDIV) Management Failures – Failure to upgrade or update, Inappropriate configuration. (AV updates, mis-configured firewall) 12 Sept 2009 Copyright The Polaris Consulting Group
  • 11.
    Examples of VulnerabilitiesWeak or default passwords Un-patched system Design flaw Code flaw (buffer overflows, input validation, etc.) Inadequate building construction 12 Sept 2009 Copyright The Polaris Consulting Group
  • 12.
    Examples of ControlsSecurity Guards and badges Required vacations for key personnel Internet versus intranet zones Firewalls 12 Sept 2009 Copyright The Polaris Consulting Group
  • 13.
    What is Risk?Mathmatical Definition of Risk: Risk = Threat x Vulnerability x Cost What does this mean? Let’s look at a few examples: Earthquake Computer Virus 12 Sept 2009 Copyright The Polaris Consulting Group
  • 14.
    Risk Management TheCISA Review Manual 2006 provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization." 12 Sept 2009 Copyright The Polaris Consulting Group
  • 15.
    Key Components ofRisk Management Identification of assets Identification of vulnerabilities and threats to those assets Controls to mitigate risks Aid in the prioritization of scarce resources Is this a one time process or iterative? Why? 12 Sept 2009 Copyright The Polaris Consulting Group
  • 16.
    Identification of AssetsHow do you find them? 12 Sept 2009 Copyright The Polaris Consulting Group Company provided inventory (generally not so good) Internal Scans (will catch a lot but only if the asset is connected to the network) Walk around Talk to employees Visit data center
  • 17.
    Prioritization of RisksTuesday at noon EDT a new Top Cyber Risks report will be released summarizing current data from the largest network of intrusion prevention sensors and the largest network of vulnerability testers (millions of systems). It shows that the top two cyber risks are far more critical than previously thought, and at the same time that enterprises are acting very slowly to mitigate the risks. In fact the data show that enterprises are investing in less important risks and skimping on the important ones. This is the first time a threat report has been based on a combination of these two data sources on a global scale. Very cool because the findings are authoritative (and were vetted by the Storm Center folks and SANS' top instructors). If you have wanted to get your organization to fix the key problems, you'll find this report to be a powerful tool to move executive decision making forward.  If you are a press person and want to be included in the press conference call, please email [email_address] and tell me which publication. SANS NewsBites Vol. 11 Num. 72 12 Sept 2009 Copyright The Polaris Consulting Group
  • 18.
    Risk Management –Business Choices Accept the risk Mitigate the Risk Transfer the risk Deny the risk 12 Sept 2009 Copyright The Polaris Consulting Group
  • 19.
    What Brought allof this about? 1980’s – Introduction of personal computers Movies such as “War Games” Matthew Broderick Hacking is cool and geeky 1989 – The Cockoo’s Egg – Clifford Stoll $0.75 accounting error leads to one of the first documented cases of hacking 1990’s Birth of Netscape Back Orifice Kevin Mitnick Early 2000 – Code Red, Nimba, Slammer, identity theft Mid to late 2000’s – Organized crime and governments 12 Sept 2009 Copyright The Polaris Consulting Group
  • 20.
    WHY???? Personal challengeFollow the money Early hacking was to avoid long distance phone calls Later hacking was to break into banks and steal money Now compromising personal information (credit cards, SSN’s, DOB, etc.) are sold in bulk for credit card and other fraud Control of Assets – botnets Corporate and Government Secrets Relatively Anonymous 12 Sept 2009 Copyright The Polaris Consulting Group
  • 21.
    Evolution of Lawsand Regulations 1980’s – Start of Federal laws on computer activity Federal Computer Fraud and Abuse Act 1990’s – HIPAA “Health Insurance Portability And Accountability Act” – Health sector Gramm-Leach-Bliley – Financial Sector 2000’s – Federal Information Security Act (FISMA) – Government regulations Sarbanes-Oxley – Management on the hook for security of financial systems PCI DSS Security Breach Notification Laws 12 Sept 2009 Copyright The Polaris Consulting Group
  • 22.
    Security Assessments Requiredby PCI-DSS, GLBA, HIPAA, etc. Main Purpose Ensure that there are sufficient controls to prevent unauthorized data disclosure Likely Result? Long list of vulnerabilities that when exploited resulted in unauthorized data disclosure Now we are back into Risk Management 12 Sept 2009 Copyright The Polaris Consulting Group
  • 23.
    Security Assessments ManagementSponsor Liability protection  Scope What is the asset to be protected? Hint: Look for databases, customer data, financial data, corporate secrets, etc. Should include technical and human vulnerabilities (Kevin Mitnick) Should handle false positives and false negatives Risk assessment results that identify the assets, threats, vulnerabilities, etc. Prioritized list of recommendations 12 Sept 2009 Copyright The Polaris Consulting Group
  • 24.
    Security Assessments FinalStep? 12 Sept 2009 Copyright The Polaris Consulting Group Schedule another One! Why? Because things change.
  • 25.
    Fundamentals of aGood Security Program Management buy in Security Framework (SANS CAG, ISO 27001/2, ITIL People, Technology, Process Set security goals and develop a WAITT (We Are In This Together) philosophy Risk Prioritization Metrics Defense in Depth – Recognition that one layer is not sufficient Proactive 12 Sept 2009 Copyright The Polaris Consulting Group
  • 26.
    SANS Consensus AuditGuidelines Critical Controls Subject to Automated Collection, Measurement, and Validation: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Wireless Device Control Data Loss Prevention Additional Critical Controls (not directly supported by automated measurement and validation): Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps 12 Sept 2009 Copyright The Polaris Consulting Group
  • 27.
    Security is morethan a checklist Proactive security Honeypots, Honeyports Good Trojan horses and call home viruses Think like a hacker Use Twitter Ongoing scan Monitor log files 12 Sept 2009 Copyright The Polaris Consulting Group
  • 28.
    Historical Defense inDepth 12 Sept 2009 Copyright The Polaris Consulting Group
  • 29.
    Modern Defense inDepth? 12 Sept 2009 Copyright The Polaris Consulting Group Fire Network Access Control Firewall Network Design Guards and badges Log Monitoring Encryption DMZ
  • 30.
    Metrics You can'tmanage what you don't measure. It is an old management adage that is accurate today. Unless you measure something you don't know if it is getting better or worse. You can't manage for improvement if you don't measure to see what is getting better and what isn't. By F. John Reh , About.com 12 Sept 2009 Copyright The Polaris Consulting Group
  • 31.
    Wrapping Things UpEvolution of security risks External versus Internal – Where’s the greater threat? Costs of doing nothing 12 Sept 2009 Copyright The Polaris Consulting Group
  • 32.
    The Evolution ofSecurity Risks TOP OF THE NEWS  --Cyber Criminals Targeting Smaller US Firms; Get Millions (August 25, 2009) Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews [Guest Editor's Note (Rob Lee): We are seeing a lot of these. There are three contributing reasons they are growing so fast: (1) Low threat of arrest in these "safe havens," (2) High payout for the crime, and (3) Victim sharing data on these attacks has been minimal. The attacks are amazingly simple and the amount of money taken is large.  The firms do not know how to protect themselves.  In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards.   Small businesses are being affected greatly by poor security practices.  It isn't a risk issue.  It is a survival one.] 12 Sept 2009 Copyright The Polaris Consulting Group
  • 33.
    External versus Internal– Where’s the greater threat? 87% of FBI respondents in 2005 survey indicated that they had some form of security incident 73% of threat is internal 23% is external (Where did the other 4% go to?) Average internal threat costs the company 2.7 million Average external threat costs the company $57,000 12 Sept 2009 Copyright The Polaris Consulting Group
  • 34.
    Costs of doingnothing (or not doing it right) The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. ( http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222 ) T.J. Maxx Security Breach Costs Soar To 10 Times Earlier Estimate The retailers' second-quarter earnings show that the company had to absorb $118 million in that quarter alone. That's added to earlier breach costs of $17 million. ( http://www.informationweek.com/news/global-cio/compliance/showArticle.jhtml?articleID=201800259) 12 Sept 2009 Copyright The Polaris Consulting Group
  • 35.
    SANS Top 20Client-side Vulnerabilities in: C1. Web Browsers C2. Office Software C3. Email Clients C4. Media Players Server-side Vulnerabilities in: S1. Web Applications S2. Windows Services S3. Unix and Mac OS Services S4. Backup Software S5. Anti-virus Software S6. Management Servers S7. Database Software 12 Sept 2009 Copyright The Polaris Consulting Group Security Policy and Personnel: H1. Excessive User Rights and Unauthorized Devices H2. Phishing/Spear Phishing H3. Unencrypted Laptops and Removable Media Application Abuse: A1. Instant Messaging A2. Peer-to-Peer Programs Network Devices: N1. VoIP Servers and Phones Zero Day Attacks: Z1. Zero Day Attacks
  • 36.
    Top 10 Trends(per SANS) Encrypting mobile devices Theft of mobile devices Additional laws Cyber attacks to increase Cell phone worms VOIP attacks Spyware 0-Day exploits Rootkit bots Network Access Control will become more important 12 Sept 2009 Copyright The Polaris Consulting Group
  • 37.
    Security Web SitesJust a few sans.org - SysAdmin, Audit, Network, Security cisecurity.org - Center for Internet Security www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml - NSA Security Configuration Guides csrc.nist.gov - NIST Computer Security Division 12 Sept 2009 Copyright The Polaris Consulting Group
  • 38.
    My Contact InfoLinkedIn: Scott Frost Email: [email_address] Web Site: http://thepolarisconsultinggroup.com 12 Sept 2009 Copyright The Polaris Consulting Group

Editor's Notes

  • #7 Related story of companies taking down their web site during code red
  • #9 Possession: For example, if confidential information such as a user ID-password combination is in a sealed container and the container is stolen, the owner justifiably feels that there has been a breach of security even if the container remains closed (this is a breach of possession or control over the information). Utility example: For example, if data is encrypted and the decryption key is unavailable, the breach of security is in the lack of utility of the data Source: http://www.pcmag.com/encyclopedia_term/0,2542,t=Parkerian+Hexad&i=48859,00.asp Six fundamental, atomic, non-overlapping attributes of information that are protected by information security measures. Defined by Donn B. Parker, renowned security consultant and writer, they are confidentiality , possession , integrity , authenticity , availability and utility .
  • #10 Guidelines for the Management of IT Security as published by ISO Vulnerability Vulnerability is the likelihood of success of a particular threat category against a particular organization. Notice that if this were the likelihood of success of a particular attack (e.g., the Ping of Death) against a particular machine, the likelihood would be either 0 or 1 (0 percent or 100 percent). But since we are concerned about vulnerability at an organizational level (with, say, 1,000 PCs and 50 servers configured and architected in a particular way) to an entire class of threat, binary terms don't work. Instead, vulnerability has to be quantified in terms of a probability of success, expressed as a percent likelihood.
  • #11 Threats generally have numbers associated with them – e.g. Florida is likely to have 1.4 hurricanes each year
  • #12 Scanners can often assist with identifying known vulnerabilities
  • #13 Controls Software Operating system controls that protect users from each other or from sensitive data Program controls that enforce security restrictions Virus scanners, intrusion detection systems, etc. Hardware Locks Firewalls Smartcards Physical Door locks Guards Backups
  • #14 Threat: Earthquake Vulnerability: Building not up to earthquake code Cost: Millions Risk: Low Threat: Computer Virus Vulnerability: Likely medium to high Costs: Depends Risk:
  • #16 http://en.wikipedia.org/wiki/Information_security#Risk_management Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies. Conduct a threat assessment. Include: Acts of nature, acts of war , accidents, malicious acts originating from inside or outside the organization. Conduct a vulnerability assessment , and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security , quality control , technical security. Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity. Business environment is constantly changing and as a result introducing new vulnerabilities Countermeasures are also constantly changing and must be reevaluated
  • #19 Examples to discuss: Accepting the risk FTP server is prone to being owned – yet it isn’t worth the time or trouble to properly defend it because it would exceed the cost of the item Mitigating the Risk Vulnerability audit indicates that your web server is vulnerable to cross site scripting attacks, has an old operating system Transferring the Risk: You are a Heisman winning quarterbook as a junior, you want to come back for your senior season – what do you do to manage the risk? Deny the risk:
  • #20 Clifford Stoll (the author) managed some computers at Lawrence Berkeley Laboratories in California. One day, his supervisor (Dave Cleveland) asked him to resolve a USD$ 0.75 accounting error in the computer usage accounts. He traced the error to an unauthorized user who had apparently used up 9 seconds of computer time and not paid for it, and eventually realized that the unauthorized user was a hacker who had acquired root access to the LBL system by exploiting a vulnerability in the movemail function of the original GNU Emacs . Over the next ten months, Stoll spent a great deal of time and effort tracing the hacker's origin. He saw that the hacker was using a 1200 baud connection and realized that the intrusion was coming through a telephone modem connection. Stoll's colleagues, Paul Murray and Lloyd Bellknap, helped with the phone lines. Over the course of a long weekend he rounded up fifty terminals, mostly by "borrowing" them from the desks of co-workers away for the weekend, and teletype printers and physically attached them to the fifty incoming phone lines. When the hacker dialed in that weekend, Stoll located the phone line, which was coming from the Tymnet routing service. With the help of Tymnet, he eventually tracked the intrusion to a call center at MITRE , a defense contractor in McLean, Virginia . Stoll, after returning his "borrowed" terminals, left a teletype printer attached to the intrusion line in order to see and record everything the hacker did. Stoll recorded the hacker's actions as he sought, and sometimes gained, unauthorized access to military bases around the United States, looking for files that contained words such as "nuclear" or " SDI ". The hacker also copied password files (in order to make dictionary attacks ) and set up Trojan horses to find passwords. Stoll was amazed that on many of these high-security sites the hacker could easily guess passwords, since many system administrators never bothered to change the passwords from their factory defaults. Even on army bases, the hacker was sometimes able to log in as "guest" with no password. Over the course of this investigation, Stoll contacted various agents at the FBI , CIA , NSA , and Air Force OSI . Since this was almost the first documented case of hacking, (Stoll seems to have been the first to keep a daily log book of the hacker's activity), there was some confusion as to jurisdiction and a general reluctance to share information. Studying his log book, Stoll saw that the hacker was familiar with VMS , as well as AT&T Unix . He also noted that the hacker tended to be active around the middle of the day, Pacific time. Stoll hypothesized that since modem bills are cheaper at night, and most people have school or a day job and would only have a lot of free time for hacking at night, the hacker was in a time zone some distance to the east. With the help of Tymnet and various agents from various agencies, Stoll eventually found that the intrusion was coming from West Germany via satellite. The Deutsche Bundespost , the German post office, also had authority over the phone system, and they traced the calls to a university in Bremen . In order to entice the hacker to stay on the line long enough to be backtracked from Bremen, Stoll set up an elaborate hoax (known today as a honeypot ), inventing a new department at LBL that had supposedly been newly formed because of an imaginary SDI contract. He knew the hacker was mainly interested in SDI, so he filled the "SDInet" account (operated by the imaginary secretary Barbara Sherwin) with large files full of impressive-sounding bureaucratese . The ploy worked, and the Deutsche Bundespost finally located the hacker at his home in Hanover . The hacker's name was Markus Hess , and he had been engaged for some years in selling the results of his hacking to the Soviet KGB . There was ancillary proof of this when a Hungarian spy contacted the imaginary SDInet at LBL, based on information he could only have gotten through Hess (apparently this was the KGB's method of double-checking to see if Hess was just making up the information he was selling them). Stoll later had to fly to Germany to testify at the trial of Hess and a confederate. Although Hess was active at the same time and in the same area as the German Chaos Computer Club , they do not seem to have been working together. http://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_%28book%29
  • #22 Gramm (http://www.securitymanagement.com/archive/library/gramm_tech0902.pdf) Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security Dual control procedures, segregation of duties, and employee background checks Monitoring systems to detect actual attacks on or intrusions into customer information Response programs that specify actions to be taken when unauthorized access has occurred Protection from physical destruction or damage to customer information Could also talk about FERPA ( Family Educational Rights and Privacy Act ) that was enacted in 1974. This is a USA Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record.
  • #24 http://en.wikipedia.org/wiki/Information_Technology_Security_Assessment
  • #26 you cannot make good decisions about security without first determining what your security goals are A risk management program that is constantly evaluating the risks to the business and setting priorities
  • #34 Security and Loss Prevention 5 th Edition by Philip P. Purpura pg 135
  • #35 - Credit Card Industry Grapples with Security Fresh details of large-scale cyber attacks against data processor Heartland Payment Systems, Inc. and supermarket chain Hannaford Brothers show the challenges facing the efforts of the credit card industry to upgrade security measures. While both companies say their computer networks met the tough new standards meant to prevent data breaches, Visa, Inc. said Heartland may have let its guard down. The positions reflect broader disagreements in the industry, as squabbling between merchants and financial firms over technology and the cost of systems upgrades continues to impede progress while the financial stakes get higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research. More information: http://www.reuters.com/article/smallBusinessNews/idUSTRE57N4LQ20090824
  • #37 - "Dirty Websites" Pose Biggest Security Risk The 100 most dangerous sites on the web are propagating an average of 18,000 different pieces of malware, according to leading security software maker Symantec. While 48 of the top 100 worst are adult-themed sites, others featured diverse topics, ranging from deer hunting and catering, to figure skating, electronics, and legal services. "We used to tell people if you stick with the 'safe neighborhood' you will be safe, and what we see from this list is that even if you stick to the safe neighborhood, it doesn't mean you are safe," said Symantec's Dan Schrader. "Your own judgment doesn't tell you anything about the security practices of that site." Ken Pappas of Top Layer Security adds that "The list of most-offensive websites is changing and new websites are constantly being infected. This is not something like building a ten most-wanted for criminals at large. "Whether it's ten viruses or ten thousand doesn't matter; the point is, many people are going to what they believe is a legitimate and trusted website. They have no idea or warnings it will potentially put malware in the computer." More information: http://www.scmagazineus.com/dirtiest-websites-host-average-18000-threats/article/146919/ http://safeweb.norton.com/dirtysites
  • #38 Center for Internet Security is a not-for-profit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. National Security Agency Guidelines for Security Configurations Computer Security Resource Center supported by the National Institute of Standards and Technology