SlideShare a Scribd company logo

Information Security: A mindset, not a product

J
jaymemcree

An overview of IT security threats, common weakness in IT networks, and policies & procedures for reducing risk

1 of 28
Download to read offline
SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved

Recommended

Data Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetData Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetFlaskdata.io
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on LaptopsProduct Marketing Services
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Document%20 Safer%20 Introduction
Document%20 Safer%20 IntroductionDocument%20 Safer%20 Introduction
Document%20 Safer%20 Introductionerry wardhana
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 

Recommended

Data Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetData Security For SMB - Fly first class on a budget
Data Security For SMB - Fly first class on a budgetFlaskdata.io
 
Protecting Data on Laptops
Protecting Data on LaptopsProtecting Data on Laptops
Protecting Data on LaptopsProduct Marketing Services
 
Hp Fortify Pillar
Hp Fortify PillarHp Fortify Pillar
Hp Fortify PillarEd Wong
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Unpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewUnpatched Systems: An Ethical Hacker's View
Unpatched Systems: An Ethical Hacker's ViewPeter Wood
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Document%20 Safer%20 Introduction
Document%20 Safer%20 IntroductionDocument%20 Safer%20 Introduction
Document%20 Safer%20 Introductionerry wardhana
 
Ensure Software Security already during development
Ensure Software Security already during developmentEnsure Software Security already during development
Ensure Software Security already during developmentIT Weekend
 
Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAmazon Web Services
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMInfinIT - Innovationsnetværket for it
 
One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your businessManagement Insights LLC
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickWriting An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickFlaskdata.io
 
Instant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of AnalysisInstant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of AnalysisDatameer
 
Ch01.ppt
Ch01.pptCh01.ppt
Ch01.ppttemesgen895939
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup systemEngr. Md. Jamal Uddin Rayhan
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecuritySolarWinds
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 

More Related Content

Similar to Information Security: A mindset, not a product

Security For Free
Security For FreeSecurity For Free
Security For Freegwarden
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAmazon Web Services
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickWriting An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickFlaskdata.io
 
Instant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of AnalysisInstant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of AnalysisDatameer
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database ThreatsImperva
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsDenim Group
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentationfranbodh
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecuritySolarWinds
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsMichael Scheidell
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online PrivacyKazi Sarwar Hossain
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentationJMS Secure Data
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Team Sistemi
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementjustinkallhoff
 

Similar to Information Security: A mindset, not a product (20)

Security For Free
Security For FreeSecurity For Free
Security For Free
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim RainsAWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
AWS re:Invent Comes to London 2019 - Security Strategy, Tim Rains
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
One of 2 protect your business
One of 2 protect your businessOne of 2 protect your business
One of 2 protect your business
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stickWriting An Effective Security Procedure in 2 pages or less and make it stick
Writing An Effective Security Procedure in 2 pages or less and make it stick
 
Instant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of AnalysisInstant Visualizations in Every Step of Analysis
Instant Visualizations in Every Step of Analysis
 
Ch01.ppt
Ch01.pptCh01.ppt
Ch01.ppt
 
Top 10 Database Threats
Top 10 Database ThreatsTop 10 Database Threats
Top 10 Database Threats
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
information security and backup system
information security and backup systeminformation security and backup system
information security and backup system
 
Physician Office Presentation
Physician Office PresentationPhysician Office Presentation
Physician Office Presentation
 
APAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds SecurityAPAC Partner Update: SolarWinds Security
APAC Partner Update: SolarWinds Security
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Users awarness programme for Online Privacy
Users awarness programme for Online PrivacyUsers awarness programme for Online Privacy
Users awarness programme for Online Privacy
 
Jms secure data presentation
Jms secure data presentationJms secure data presentation
Jms secure data presentation
 
Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!Cyberoam: il futuro della network security!
Cyberoam: il futuro della network security!
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 

Information Security: A mindset, not a product

  • 1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 2. SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 3. This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 4. In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 5. Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 6. Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 7. Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 8. Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 9. Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 10. Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 11. AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 12. Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 13. Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 14. Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 15. What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 16. What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 17. What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 18. What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 19. Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 20. Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 21. Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 22. Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 23. Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 24. Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 25. Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 26. Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 27. Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 28. Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved