SlideShare a Scribd company logo

Rothke - A Pragmatic Approach To Purchasing Information Security Products

Ben Rothke
Ben Rothke

Rothke - A Pragmatic Approach to Purchasing Information Security Products. Given at the ACSAC conference December 2000

Technology
1 of 23
Download to read offline
A Pragmatic Approach to Purchasing Information Security Products ACSAC - New Orleans December 2000 Ben Rothke, CISSP Senior Security Consultant Baltimore Technologies ben.rothke@baltimore.com ACSAC - December 2000 1
Today’s infosec landscape • Corporate networks are exceedingly complex, and are continuously becoming more Byzantine. Take an average Fortune 1000 MIS Department, add up all their: • Vendors • Topologies • Networks • Platforms • Add-ons • Custom written applications, etc. • Now try to securely integrate them. If security was not designed into the original system architecture, how exactly do you expect these security products to work? • Despite the fact that more and more is being spent on information systems security, things are getting more and more complex, and complex systems are much harder to protect. ACSAC - December 2000 2
What is pragmatic security? Knowing that: • Security is a process, not a product. – Just as Xenical doesn’t = weight loss, so too security products don’t automatically = security • Products don’t make good security, people do. • Security Pixie Dust doesn’t exist • The need for security policies. – Which needs to be wrapped around a well thought-out strategy ACSAC - December 2000 3
Products can’t do it alone • Even if 98% of the hosts in an organization were secured, and 98% of those secured were configured correctly; that still leaves room for breaches. • Cool products won’t solve real problems. Do you want that Air Gap appliance because it’s neat or you have defined its role? • With the abundance of security products and mechanisms, there is a scarcity of management tools ACSAC - December 2000 4
Questions to ask Before you buy a security product, ask yourself these questions: • Do you have a CSO? CTO? • Does the CSO have real power or it he simply a yes man to the CIO/CEO? • Do the CSO/CIO understand the business? • Do the CSO/CIO have a good relationship with the CIO/CFO/CEO? • Does the CSO have trained staff? • Are your developers trained in writing secure code? • Will your company rollout an application if it has failed a security audit? • Can a screaming SVP force your firewall admin to violate policy and open an unauthorized port? • More than a few no’s and you need a security strategy, not a product. If you buy a security product without the proper due diligence, then the product becomes theological, not practical. ACSAC - December 2000 5
Security strategy • Security strategy incorporates comprehensive information security practices in the corporate process. • A few of the myriad questions that must be posed are: § What are you trying to accomplish within infosec? § Do you have a information security mission statement? § How does security fit into the overall business goal? § Are staff members trained? § If you don’t train them – how do you expect to have security? § Many people installing security software have little, and often, no background in infosec § Have you taken significant time for research, planning, and designing a strategy for the product implementation § Did you get all divisions involved and high level (CEO, CFO) support § Are you able to sell this to management without using technical jargon § Don’t look at the micro level of a product, look at the macro level of the security of the system ACSAC - December 2000 6
Risk analysis & assessment • Without performing a comprehensive risk analysis, products operate in a vacuum. • An effective risk assessment and analysis ensures that you are worrying about the right things. • Many threats are internally based. But on the other hand, you have to realize that the internal staff can be your greatest partners. • The ultimate outcome of a risk analysis should be to see if you really can benefit from the product. Don’t worry about missing the bus. ACSAC - December 2000 7
Have you chosen a vendor? • Don’t pick a vendor until you know your needs • Don’t put too much faith in often exaggerated marketing material – We won’t even mention Press Releases • Don’t get into religious wars (PIX vs. Checkpoint, NT vs. Unix) before performing a complete architecture and technology assessment. ACSAC - December 2000 8
Most products are similar • As a general rule, most established commercial off the shelf security products are essentially indistinguishable from each other and can fundamentally achieve what most organizations require. Examples: • Checkpoint vs. PIX • Entrust vs. Baltimore • Cybercop vs. ISS • Given that, don’t obsess on the products. Focus on your staff, internal procedures, etc. • After you have done the appropriate research and analysis, then you can obsess on the products. ACSAC - December 2000 9
A look at security products • We are going to look a a few and at problems in their common implementation. • The bottom line is that no product can exist in a vacuum. • We will look at a few examples, but this holds true for all products in our lives. ACSAC - December 2000 10
Firewalls • Managements reaction to a hack “But we have a firewall!” • But did they have a firewall policy? – Policy is a critical element of the effective and successful operation of a firewall. A firewall can’t be effective unless it is deployed it in the context of working policies that govern its use and administration. – Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. • Design must come before implementation – People in the construction business get this ACSAC - December 2000 11
For further information • Marcus Ranum – http://web.ranum.com/pubs/index.shtml • Thinking about Firewalls: Beyond Perimeter Security • Are Firewalls Obsolete? Pro and Con of the Debate • Can we "certify" a firewall? On the Topic of Firewall Testing • The ULTIMATELY Secure Firewall - An Adaptive Packet Destructive Filter • Building Internet Firewalls – by Elizabeth Zwicky • O'Reilly & Associates ISBN: 1565928717 • Firewalls and Internet Security – Bill Cheswick & Steve Bellovin • Addison-Wesley ISBN: 0201633574 (Second edition due 1Q2001) ACSAC - December 2000 12
Air Gap • An air gap is essentially a firewall. But if you call yourself a firewall, then you are competing with Checkpoint & PIX – that’s bad. • A firewall is a logical separation of two physical networks, whereas an air gap device is a physical separation of two logical networks. – So they say. A firewall is a tunnel, an air gap is a tunnel. And a tunnel is a tunnel is a tunnel. Giving it another name doesn’t mean it isn’t the same. – A half-duplex datastream with pico-second turnaround, coupled with a micrometer gap between two fiber connectors doesn't make a product any more or less secure than other firewalls. (Roger Marquis on the FW Wizards list) • An air gap device basically re-packages the TCP layer header information, otherwise leaving the packet intact. – This limits the ability of protocol-based attacks on a host – But what about the myriad other types of attacks? ACSAC - December 2000 13
For further information • Secrets and Lies:Digital Security in a Networked World – Bruce Schneier – John Wiley ISBN: 0471253111 • Hacking Linux Exposed: Network Security Secrets and Solutions – Anne Carasik, George Kurtz, Saumil Shah – McGraw-Hill ISBN: 0072127732 • Hacking Exposed - Second Edition – Stuart McClure, Joel Scambray, George Kurtz – McGraw-Hill ISBN: 0072127481 ACSAC - December 2000 14
PKI • PKI in a nutshell - Establishing trust and maintaining that level of trusted assurance • In the real world, trust is built through a complex web of social, legal, national, international and business interactions that often take years or decades to develop. – drivers license – ID badges – credit cards – Birth/marriage/death records – passports – treaties • What the above provides is trust, underwritten by the providing authority. Unfortunately, that same level of trust is much harder to implement in the electronic world. ACSAC - December 2000 15
PKI/Digital certificates • A digital certificate is simply an electronic credential. • The value of the certificate is determined by the CA that issues it. – Just as it is possible to get a worthless identification card in Times Square, so is it possible to get a worthless, albeit cryptographically strong digital certificate. • Your browser likely has at least 25 certificates loaded. • In the future, people will have a plethora of certificates, just like they have a glut of credit cards. ACSAC - December 2000 16
PKI/Digital certificates • Does a certificate = security? No! – Certificates are simply one aspect of a PKI. To the degree that the PKI is well-defined and configured, is to the degree that the certificate has value. – Have you ever checked the certificate on a web site to see if it belongs to the vendor you are about to give your credit card to? • How do you know if you're ready to roll with your PKI? – Do you have a strategy on how to deal with the hundreds (thousands) of in-house applications that are not PKI compliant? – Do you have a strategy to deal with certificate rollout & revocation? – Do you understand what your CPS means? • Non-repudiation – Mathematical definition vs. Practical definition – Dead men can sign documents ACSAC - December 2000 17
Certificate practice statement 1. Introduction 4. Operational Requirements Overview Physical & logical controls Identification 5. Technical Security Controls Community & Applicability Key properties Contact Details Key Strength References Private key distribution Definitions Confidentiality key archive 2. General Provisions Evidence required to retrieve a key Obligations Compromise of CA keys CA Obligations 6. Certificate and CRL Profiles RA Obligations Certificate Profile End User Obligations CRL Profile Interpretation and Enforcement 7. Specification Administration 3. Identification and Authentication Specification Change Procedures Initial Registration Publication and Notification Procedures Identity verification process 8. Policy Status Identity Verification Check Certificate Renewal From: www.baltimore.com/download/index.html Revocation Request Also see Certificate Policies and Certification Practice Statements at: www.entrust.com/downloads/pdf/cps.pdf www.verisign.com/repository/CPS/CPS-1_2-009.doc ACSAC - December 2000 18
For further information • Understanding the Public-Key Infrastructure – Carlisle Adams, Steve Lloyd New Riders ISBN: 157870166X • Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy – Stefan Brands MIT Press; ISBN: 0262024918 • Secure Electronic Commerce: Building the Infrastructure – Warwick Ford & Michael Baum Prentice Hall ISBN: 0134763424 • Ten Risks of PKI – www.counterpane.com/pki-risks.html • Lockstar - www.lockstar.com • Shym Technology - www.shym.com ACSAC - December 2000 19
So what’s the solution? • Stop buying products and develop a strategy – Develop a realistic, enforceable security policy – Create a security organization • If you have a small IT shop, give security responsibilities (and training!) to existing staff • At the very least, make sure you have a full-time CSO-equivalent with real power – All IT staff needs to be on the security bandwagon – it takes only one rotten apple to spoil the pie. – Have information security involved from the inception of all new projects; security as an afterthought is invariably poor ACSAC - December 2000 20
What’s the solution? • Another solution is to outsource information security. – Banks outsource their money-handling to armed guards. • Given the dearth of people who have experience in security, the complexity in securing it all and the difficulties in staffing a 24x7x365 security operations center (SOC), Managed Security Providers (MSP) are growing in popularity. – Counterpane Internet Security – RIPTech – Guardent – myCIO.com – ISS • Nonetheless, outsourcing isn’t a panacea. It doesn’t solve the problem that the organization didn’t get correct from the start. ACSAC - December 2000 21
Conclusions • Real change takes time • There are no silver bullets, no pixie dust solutions. Y2K clearly showed that. • Complex distributed systems don’t always need complex solutions. But elegant solutions take time and effort to effectively and properly develop, test and rollout. • Security is a process, not a product ACSAC - December 2000 22
Thank You!! Ben Rothke, CISSP, CCO Baltimore Technologies www.baltimore.com ben.rothke@baltimore.com ACSAC - December 2000 23

Recommended

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the LibrariesEoin Woods
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small BusinessBrendanRose
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 

Recommended

Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Cloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerCloud, DevOps and the New Security Practitioner
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopMichele Chubirka
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the LibrariesEoin Woods
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
Security Guide For Small Business
Security Guide For Small BusinessSecurity Guide For Small Business
Security Guide For Small BusinessBrendanRose
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanNetIQ
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
Mind the gap
Mind the gapMind the gap
Mind the gapRoger Hagedorn
 
Getting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereGetting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereEoin Woods
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - IdealwareIdealware
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...centralohioissa
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211hdmchughgmailcom
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...Livingstone Advisory
 
ICPW2007.deWaard
ICPW2007.deWaardICPW2007.deWaard
ICPW2007.deWaardpragmaticweb
 
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...Timo Honkela
 

More Related Content

What's hot

Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanNetIQ
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down underRoger Hagedorn
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Dale Butler
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesNetIQ
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspacemark-smith
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
Getting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereGetting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereEoin Woods
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - IdealwareIdealware
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourleyGovCloud Network
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worsecentralohioissa
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?NTEN
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowRoger Hagedorn
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...centralohioissa
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211hdmchughgmailcom
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityDell EMC World
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...Livingstone Advisory
 

What's hot (20)

Scrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky CleanScrubbing Your Active Directory Squeaky Clean
Scrubbing Your Active Directory Squeaky Clean
 
Security initiatives here and down under
Security initiatives here and down underSecurity initiatives here and down under
Security initiatives here and down under
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012Oil and gas cyber security nov 2012
Oil and gas cyber security nov 2012
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
Technologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible CyberspaceTechnologies and Policies for a Defensible Cyberspace
Technologies and Policies for a Defensible Cyberspace
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Mind the gap
Mind the gapMind the gap
Mind the gap
 
Getting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it ThereGetting Your System to Production and Keeping it There
Getting Your System to Production and Keeping it There
 
Cloud Security - Idealware
Cloud Security - IdealwareCloud Security - Idealware
Cloud Security - Idealware
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
 
The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?The Cloud Beckons, But is it Safe?
The Cloud Beckons, But is it Safe?
 
Data Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to KnowData Security: What Every Leader Needs to Know
Data Security: What Every Leader Needs to Know
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
 
Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211Zenith Infotech Mirror Cloud Presentation. 112211
Zenith Infotech Mirror Cloud Presentation. 112211
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
 

Viewers also liked

Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...Timo Honkela
 
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)Brian Huff
 
Pragmatic linguistics»
Pragmatic linguistics»Pragmatic linguistics»
Pragmatic linguistics»Miguel Seura
 
Pragmatics: Conversation and Preference Structure
Pragmatics: Conversation and Preference StructurePragmatics: Conversation and Preference Structure
Pragmatics: Conversation and Preference StructureEko Alreza
 
Pragmatics in the EFL classroom: An introduction
Pragmatics in the EFL classroom: An introductionPragmatics in the EFL classroom: An introduction
Pragmatics in the EFL classroom: An introductionJerry Talandis
 
Pragmatics (Linguistics)
Pragmatics (Linguistics)Pragmatics (Linguistics)
Pragmatics (Linguistics)Coltz Mejia
 
Introduction to linguistics lec 1
Introduction to linguistics lec 1Introduction to linguistics lec 1
Introduction to linguistics lec 1Hina Honey
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 
Pragmatics presentation
Pragmatics presentationPragmatics presentation
Pragmatics presentationMehwish Nazar
 
Pragmatics: Deixis And Distance By Dr.Shadia.Pptx
Pragmatics: Deixis And Distance By Dr.Shadia.PptxPragmatics: Deixis And Distance By Dr.Shadia.Pptx
Pragmatics: Deixis And Distance By Dr.Shadia.PptxDr. Shadia Banjar
 
Pragmatics - George Yule
Pragmatics - George YulePragmatics - George Yule
Pragmatics - George YuleAnthony Salinas
 

Viewers also liked (17)

ICPW2007.deWaard
ICPW2007.deWaardICPW2007.deWaard
ICPW2007.deWaard
 
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
Timo Honkela: Introductory lecture of the seminar course on Computational Pra...
 
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
A Pragmatic Strategy for Oracle Enterprise Content Management (ECM)
 
Pragmatic linguistics»
Pragmatic linguistics»Pragmatic linguistics»
Pragmatic linguistics»
 
Pragmatics: Conversation and Preference Structure
Pragmatics: Conversation and Preference StructurePragmatics: Conversation and Preference Structure
Pragmatics: Conversation and Preference Structure
 
Pragmatics: Introduction
Pragmatics: IntroductionPragmatics: Introduction
Pragmatics: Introduction
 
Pragmatics in the EFL classroom: An introduction
Pragmatics in the EFL classroom: An introductionPragmatics in the EFL classroom: An introduction
Pragmatics in the EFL classroom: An introduction
 
Pragmatics
PragmaticsPragmatics
Pragmatics
 
What is pragmatics
What is pragmaticsWhat is pragmatics
What is pragmatics
 
Pragmatics (Linguistics)
Pragmatics (Linguistics)Pragmatics (Linguistics)
Pragmatics (Linguistics)
 
Introduction to linguistics lec 1
Introduction to linguistics lec 1Introduction to linguistics lec 1
Introduction to linguistics lec 1
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
 
Pragmatics
PragmaticsPragmatics
Pragmatics
 
Pragmatics
PragmaticsPragmatics
Pragmatics
 
Pragmatics presentation
Pragmatics presentationPragmatics presentation
Pragmatics presentation
 
Pragmatics: Deixis And Distance By Dr.Shadia.Pptx
Pragmatics: Deixis And Distance By Dr.Shadia.PptxPragmatics: Deixis And Distance By Dr.Shadia.Pptx
Pragmatics: Deixis And Distance By Dr.Shadia.Pptx
 
Pragmatics - George Yule
Pragmatics - George YulePragmatics - George Yule
Pragmatics - George Yule
 

Similar to Rothke - A Pragmatic Approach To Purchasing Information Security Products

Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsInfonaligy
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Valencell, Inc.
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber SecurityMisha Hanin
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433Terry Gilsenan
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Michele Chubirka
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyShawn Tuma
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Cloud Security Alliance Lviv Chapter
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Ray Bugg
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...Robert Parker
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...Leif Davidsen
 

Similar to Rothke - A Pragmatic Approach To Purchasing Information Security Products (20)

Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Security For Free
Security For FreeSecurity For Free
Security For Free
 
terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433terry-gilsenan-pie-operating.10433
terry-gilsenan-pie-operating.10433
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
Iurii Garasym - Cloud Security Alliance Now in Ukraine. Mission, Opportunitie...
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 

More from Ben Rothke

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Ben Rothke
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about themBen Rothke
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comBen Rothke
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligattBen Rothke
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeBen Rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperBen Rothke
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practicesBen Rothke
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceBen Rothke
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftBen Rothke
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperBen Rothke
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 

More from Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Rothke - A Pragmatic Approach To Purchasing Information Security Products

  • 1. A Pragmatic Approach to Purchasing Information Security Products ACSAC - New Orleans December 2000 Ben Rothke, CISSP Senior Security Consultant Baltimore Technologies ben.rothke@baltimore.com ACSAC - December 2000 1
  • 2. Today’s infosec landscape • Corporate networks are exceedingly complex, and are continuously becoming more Byzantine. Take an average Fortune 1000 MIS Department, add up all their: • Vendors • Topologies • Networks • Platforms • Add-ons • Custom written applications, etc. • Now try to securely integrate them. If security was not designed into the original system architecture, how exactly do you expect these security products to work? • Despite the fact that more and more is being spent on information systems security, things are getting more and more complex, and complex systems are much harder to protect. ACSAC - December 2000 2
  • 3. What is pragmatic security? Knowing that: • Security is a process, not a product. – Just as Xenical doesn’t = weight loss, so too security products don’t automatically = security • Products don’t make good security, people do. • Security Pixie Dust doesn’t exist • The need for security policies. – Which needs to be wrapped around a well thought-out strategy ACSAC - December 2000 3
  • 4. Products can’t do it alone • Even if 98% of the hosts in an organization were secured, and 98% of those secured were configured correctly; that still leaves room for breaches. • Cool products won’t solve real problems. Do you want that Air Gap appliance because it’s neat or you have defined its role? • With the abundance of security products and mechanisms, there is a scarcity of management tools ACSAC - December 2000 4
  • 5. Questions to ask Before you buy a security product, ask yourself these questions: • Do you have a CSO? CTO? • Does the CSO have real power or it he simply a yes man to the CIO/CEO? • Do the CSO/CIO understand the business? • Do the CSO/CIO have a good relationship with the CIO/CFO/CEO? • Does the CSO have trained staff? • Are your developers trained in writing secure code? • Will your company rollout an application if it has failed a security audit? • Can a screaming SVP force your firewall admin to violate policy and open an unauthorized port? • More than a few no’s and you need a security strategy, not a product. If you buy a security product without the proper due diligence, then the product becomes theological, not practical. ACSAC - December 2000 5
  • 6. Security strategy • Security strategy incorporates comprehensive information security practices in the corporate process. • A few of the myriad questions that must be posed are: § What are you trying to accomplish within infosec? § Do you have a information security mission statement? § How does security fit into the overall business goal? § Are staff members trained? § If you don’t train them – how do you expect to have security? § Many people installing security software have little, and often, no background in infosec § Have you taken significant time for research, planning, and designing a strategy for the product implementation § Did you get all divisions involved and high level (CEO, CFO) support § Are you able to sell this to management without using technical jargon § Don’t look at the micro level of a product, look at the macro level of the security of the system ACSAC - December 2000 6
  • 7. Risk analysis & assessment • Without performing a comprehensive risk analysis, products operate in a vacuum. • An effective risk assessment and analysis ensures that you are worrying about the right things. • Many threats are internally based. But on the other hand, you have to realize that the internal staff can be your greatest partners. • The ultimate outcome of a risk analysis should be to see if you really can benefit from the product. Don’t worry about missing the bus. ACSAC - December 2000 7
  • 8. Have you chosen a vendor? • Don’t pick a vendor until you know your needs • Don’t put too much faith in often exaggerated marketing material – We won’t even mention Press Releases • Don’t get into religious wars (PIX vs. Checkpoint, NT vs. Unix) before performing a complete architecture and technology assessment. ACSAC - December 2000 8
  • 9. Most products are similar • As a general rule, most established commercial off the shelf security products are essentially indistinguishable from each other and can fundamentally achieve what most organizations require. Examples: • Checkpoint vs. PIX • Entrust vs. Baltimore • Cybercop vs. ISS • Given that, don’t obsess on the products. Focus on your staff, internal procedures, etc. • After you have done the appropriate research and analysis, then you can obsess on the products. ACSAC - December 2000 9
  • 10. A look at security products • We are going to look a a few and at problems in their common implementation. • The bottom line is that no product can exist in a vacuum. • We will look at a few examples, but this holds true for all products in our lives. ACSAC - December 2000 10
  • 11. Firewalls • Managements reaction to a hack “But we have a firewall!” • But did they have a firewall policy? – Policy is a critical element of the effective and successful operation of a firewall. A firewall can’t be effective unless it is deployed it in the context of working policies that govern its use and administration. – Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. • Design must come before implementation – People in the construction business get this ACSAC - December 2000 11
  • 12. For further information • Marcus Ranum – http://web.ranum.com/pubs/index.shtml • Thinking about Firewalls: Beyond Perimeter Security • Are Firewalls Obsolete? Pro and Con of the Debate • Can we "certify" a firewall? On the Topic of Firewall Testing • The ULTIMATELY Secure Firewall - An Adaptive Packet Destructive Filter • Building Internet Firewalls – by Elizabeth Zwicky • O'Reilly & Associates ISBN: 1565928717 • Firewalls and Internet Security – Bill Cheswick & Steve Bellovin • Addison-Wesley ISBN: 0201633574 (Second edition due 1Q2001) ACSAC - December 2000 12
  • 13. Air Gap • An air gap is essentially a firewall. But if you call yourself a firewall, then you are competing with Checkpoint & PIX – that’s bad. • A firewall is a logical separation of two physical networks, whereas an air gap device is a physical separation of two logical networks. – So they say. A firewall is a tunnel, an air gap is a tunnel. And a tunnel is a tunnel is a tunnel. Giving it another name doesn’t mean it isn’t the same. – A half-duplex datastream with pico-second turnaround, coupled with a micrometer gap between two fiber connectors doesn't make a product any more or less secure than other firewalls. (Roger Marquis on the FW Wizards list) • An air gap device basically re-packages the TCP layer header information, otherwise leaving the packet intact. – This limits the ability of protocol-based attacks on a host – But what about the myriad other types of attacks? ACSAC - December 2000 13
  • 14. For further information • Secrets and Lies:Digital Security in a Networked World – Bruce Schneier – John Wiley ISBN: 0471253111 • Hacking Linux Exposed: Network Security Secrets and Solutions – Anne Carasik, George Kurtz, Saumil Shah – McGraw-Hill ISBN: 0072127732 • Hacking Exposed - Second Edition – Stuart McClure, Joel Scambray, George Kurtz – McGraw-Hill ISBN: 0072127481 ACSAC - December 2000 14
  • 15. PKI • PKI in a nutshell - Establishing trust and maintaining that level of trusted assurance • In the real world, trust is built through a complex web of social, legal, national, international and business interactions that often take years or decades to develop. – drivers license – ID badges – credit cards – Birth/marriage/death records – passports – treaties • What the above provides is trust, underwritten by the providing authority. Unfortunately, that same level of trust is much harder to implement in the electronic world. ACSAC - December 2000 15
  • 16. PKI/Digital certificates • A digital certificate is simply an electronic credential. • The value of the certificate is determined by the CA that issues it. – Just as it is possible to get a worthless identification card in Times Square, so is it possible to get a worthless, albeit cryptographically strong digital certificate. • Your browser likely has at least 25 certificates loaded. • In the future, people will have a plethora of certificates, just like they have a glut of credit cards. ACSAC - December 2000 16
  • 17. PKI/Digital certificates • Does a certificate = security? No! – Certificates are simply one aspect of a PKI. To the degree that the PKI is well-defined and configured, is to the degree that the certificate has value. – Have you ever checked the certificate on a web site to see if it belongs to the vendor you are about to give your credit card to? • How do you know if you're ready to roll with your PKI? – Do you have a strategy on how to deal with the hundreds (thousands) of in-house applications that are not PKI compliant? – Do you have a strategy to deal with certificate rollout & revocation? – Do you understand what your CPS means? • Non-repudiation – Mathematical definition vs. Practical definition – Dead men can sign documents ACSAC - December 2000 17
  • 18. Certificate practice statement 1. Introduction 4. Operational Requirements Overview Physical & logical controls Identification 5. Technical Security Controls Community & Applicability Key properties Contact Details Key Strength References Private key distribution Definitions Confidentiality key archive 2. General Provisions Evidence required to retrieve a key Obligations Compromise of CA keys CA Obligations 6. Certificate and CRL Profiles RA Obligations Certificate Profile End User Obligations CRL Profile Interpretation and Enforcement 7. Specification Administration 3. Identification and Authentication Specification Change Procedures Initial Registration Publication and Notification Procedures Identity verification process 8. Policy Status Identity Verification Check Certificate Renewal From: www.baltimore.com/download/index.html Revocation Request Also see Certificate Policies and Certification Practice Statements at: www.entrust.com/downloads/pdf/cps.pdf www.verisign.com/repository/CPS/CPS-1_2-009.doc ACSAC - December 2000 18
  • 19. For further information • Understanding the Public-Key Infrastructure – Carlisle Adams, Steve Lloyd New Riders ISBN: 157870166X • Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy – Stefan Brands MIT Press; ISBN: 0262024918 • Secure Electronic Commerce: Building the Infrastructure – Warwick Ford & Michael Baum Prentice Hall ISBN: 0134763424 • Ten Risks of PKI – www.counterpane.com/pki-risks.html • Lockstar - www.lockstar.com • Shym Technology - www.shym.com ACSAC - December 2000 19
  • 20. So what’s the solution? • Stop buying products and develop a strategy – Develop a realistic, enforceable security policy – Create a security organization • If you have a small IT shop, give security responsibilities (and training!) to existing staff • At the very least, make sure you have a full-time CSO-equivalent with real power – All IT staff needs to be on the security bandwagon – it takes only one rotten apple to spoil the pie. – Have information security involved from the inception of all new projects; security as an afterthought is invariably poor ACSAC - December 2000 20
  • 21. What’s the solution? • Another solution is to outsource information security. – Banks outsource their money-handling to armed guards. • Given the dearth of people who have experience in security, the complexity in securing it all and the difficulties in staffing a 24x7x365 security operations center (SOC), Managed Security Providers (MSP) are growing in popularity. – Counterpane Internet Security – RIPTech – Guardent – myCIO.com – ISS • Nonetheless, outsourcing isn’t a panacea. It doesn’t solve the problem that the organization didn’t get correct from the start. ACSAC - December 2000 21
  • 22. Conclusions • Real change takes time • There are no silver bullets, no pixie dust solutions. Y2K clearly showed that. • Complex distributed systems don’t always need complex solutions. But elegant solutions take time and effort to effectively and properly develop, test and rollout. • Security is a process, not a product ACSAC - December 2000 22
  • 23. Thank You!! Ben Rothke, CISSP, CCO Baltimore Technologies www.baltimore.com ben.rothke@baltimore.com ACSAC - December 2000 23