Transcript Information Security on a Budget: Where to Invest First

Information Security
on a Budget: Where
to Invest First
M. E. Kabay, PhD, CISSP
Assoc. Prof. Information Assurance
Dept. Computer Information Systems
Norwich University, Northfield, VT
[email protected]
http://www2.norwich.edu/mkabay/index.htm
1
Copyright © 2002 M. E. Kabay. All rights reserved.
Topics
 Policy, Power & Position
 Training and Awareness
 Hiring, Management and Firing
 System Administration
 Security Evaluations
2
Copyright © 2002 M. E. Kabay. All rights reserved.
Policy, Power & Position
 Policies must be living documents
 Assign responsibility for security
 CISO as equal of CEO, CFO. . .
 Status must not equal access
 Compliance depends on top-level support
3
Copyright © 2002 M. E. Kabay. All rights reserved.
Training and Awareness
 Training and awareness are not single events
 Social engineering can be fought only by
awareness and preparation
 Constant learning is essential
Formal courses & conferences
Web-based courses
Free resources on Web
Textbooks, magazines
Videofilms and DVDs
In-house courses from experts
4
Copyright © 2002 M. E. Kabay. All rights reserved.
Hiring, Management and
Firing
 Hiring
Check background carefully
Have candidates interviewed by future
colleagues
 Management
Sensitive to changes in behavior
Enforce vacations
 Firing
Shut down access
Retrieve corporate property
5
Copyright © 2002 M. E. Kabay. All rights reserved.
System Administration
 Establish Effective Security Configurations
 Maintain Software
 Detect Security Breaches
 Respond Intelligently to Incidents
6
Copyright © 2002 M. E. Kabay. All rights reserved.
Establish Effective Security
Configurations
 Default configurations often inadequate
 Firewalls need to implement thought-out
policy
 Network topology should reflect needs for
data partition
 Adapt network security to changing needs
 Evaluate anti-DDoS tools
7
Copyright © 2002 M. E. Kabay. All rights reserved.
Maintain Software
 Single most important problem: known
vulnerabilities
 Consult or subscribe to alerts
CERT/CC http://www.cert.org
Bundesammt für Sicherheit in der
Informationstechnik (BSI)
http://www.bsi.bund.de/
Common Vulnerabilities and Exposures
Database (CVE) ICAT Metabase
http://icat.nist.gov/icat.cfm
8
Copyright © 2002 M. E. Kabay. All rights reserved.
BSI
http://www.bsi.bund.de/
9
Copyright © 2002 M. E. Kabay. All rights reserved.
ICAT / CVE
http://icat.nist.gov/icat.cfm
10
Copyright © 2002 M. E. Kabay. All rights reserved.
Detect Security Breaches
 Quick response is valuable and economical
 Intrusion detection systems (IDS)
Not cheap
Learn / define normal patterns
Identify anomalies
Allow human response
 Total cost of acquisition, tuning and
management can be high
 But cost of undetected & uncontrolled
penetration can be higher
11
Copyright © 2002 M. E. Kabay. All rights reserved.
Respond Intelligently to
Incidents
 IDS useless without effective response plan
Computer Emergency Response Team
Also known as Incident Response Team
 Complex and expensive planning
Involvement from throughout organization
Most experienced personnel essential
 Link CERT/IRT to DRP and BCP
DRP = disaster recovery plan
BCP = business continuity plan
 May choose to use honeypots
System to delay intruder, study behavior
12
Copyright © 2002 M. E. Kabay. All rights reserved.
Security Evaluations
 Developing security policies may be too hard
Use existing guides
May use external help to reduce time spent
by expensive employees
 Checking security may be best done by
outsiders
Editing text is best done by someone else
Checking program source code is best
done by another programmer
Need to find trustworthy experts
Beware those who hire criminal hackers
Should test only after development &
training
13
Copyright © 2002 M. E. Kabay. All rights reserved.
DISKUSSION
14
Copyright © 2002 M. E. Kabay. All rights reserved.