Information and Systems Security Practice
Download
Report
Transcript Information and Systems Security Practice
Information & Systems Security Practice
CRITICAL SECURITY ISSUES
4th in the series of
Senior Management Intelligence Briefings
Presented To:
50th Anniversary AITP
National Conference
Version 2.504
Updated: October 19, 2001
“Protecting the most important
organizational asset – information.”
Systems Security Briefing
Part I
INTRODUCTION
© Ajilon LLC., Proprietary & Confidential
2
Who needs to care?
Good Afternoon
Liable Managers:
Chief Information Security Officer
Chief Privacy Officer
Other Sr. Person responsible for security
CIO/CTO/CFO or other “C-Suite” member
Directors, Officers, or other Signatories.
Those Responsible For:
Network/Telecommunications
E-Commerce
IT Support (Help Desk, BCP, Ops, Data Ctr, etc.)
Applications
Business Lines
Decision Makers
Employees.
© Ajilon LLC., Proprietary & Confidential
3
Why are we here?
Purpose
Goal:
Raise awareness
Bringing new information to light
Sharing insight and suggest approaches.
Objectives:
Data is the most important asset
Areas of weakness we have in common
Threats affecting all of us
What is required/expected of us
No-nonsense/pragmatic approaches.
© Ajilon LLC., Proprietary & Confidential
4
What will be covered?
Agenda
Introductions
Security overview and context
Current security issues
Insight and Action Items
Questions and Answers
Additional information sources.
© Ajilon LLC., Proprietary & Confidential
5
How can we best tailor our presentation?
Introductions
Attendee Introductions:
Industries:
- Government
- Commercial
- Financial Services
- Healthcare
- Telecom
- IT Related
- Manufacturing
Environment:
- Heterogeneous mix of technologies and platforms?
- Strong on tools, weak on process?
- Security maturity not maintained?
Ajilon Introductions.
© Ajilon LLC., Proprietary & Confidential
6
Overview
Ajilon
30+ Year History
2000 Revenue
$1.6 Billion
Canada
6,000+ full-time
consultants in 50+
cities in N. America
United Kingdom
France
United States
Global Reach – 10,000
consultants in 7
countries.
Part of Adecco, the
world’s largest
personnel services firm
in 60 countries world
wide.
© Ajilon LLC., Proprietary & Confidential
Japan
New Zealand
Australia
Recently ranked
#1 in the IT
Services Bureau
Report .
7
Where does our experience come from?
Relationships
© Ajilon LLC., Proprietary & Confidential
8
Systems Security Briefing
Part II
SECURITY CONTEXT
© Ajilon LLC., Proprietary & Confidential
9
What are we concerned with?
Information Asset
Defined:
The output of a process and/or means by which data are analyzed,
transformed into something of value (i.e., it has applicability and
meaning), put into a useable form, communicated to those with
need, and used in support of management approved purposes.
Examples:
Data (i.e., in both hard and soft copy)
Logic machines (DBMS, applications, transactions)
Physical machines (computers, routers, hubs, phones)
Pathways (pipe, fiber, cable, wire).
Personnel
Physical Plant
Intangibles – Process/Culture/Goodwill.
© Ajilon LLC., Proprietary & Confidential
10
What are we talking about?
Security Context
RISK IMPACT AREA 1:
DENIAL OF SERVICE
RISK IMPACT AREA 2:
DENIAL OF USE
INFO.
ASSETS
Management
Policies &
Procs
Software
Failure
Comm.
Security
OPERATING
ENVIRONMENT
Viruses
& Worms
APPLICATIONS
& PROGRAMS
RISK IMPACT AREA 3
UNAUTHORIZED DISCLOSURE
© Ajilon LLC., Proprietary & Confidential
RISK IMPACT AREA 4:
MODIFICATION OR DESTRUCTION
11
How did we get here?
Security Exposure
Then:
Now:
Concerned about “CIA”
Concerned about “CIA”
Environment:
Environment:
- Fixed Boundaries
- No borders
- Known/Trusted Users
- Unknown users
- Controlled
- Give up control
- Utilities
- Integration Nightmare
- Responsibility
- No responsibilities
- Stable
- Dynamic
- Standardized
- No standards
Posture – Due Care
Achieved.
© Ajilon LLC., Proprietary & Confidential
Posture – Due Care Not
Achieved.
12
What are the dynamics of the situation?
Security Imperative
Major Trends:
Security breaches on the rise (i.e., recognition of)
Illusion of security destroyed by 11 September
Financial losses substantial and increasing
“NETworks” bring increased vulnerabilities
Industrial espionage is real and rising
IT budget constraints inhibit security
Skills shortages continue
Adversaries strengthening
© Ajilon LLC., Proprietary & Confidential
13
Shouldn’t I be focused on other initiatives?
Technology Issues
AICPA’s Top Ten Technology Issues:
Electronic Commerce
Communications & Wireless Technologies
Internets, Intranets, Private Networks, etc.
Training & Technology Competency
Image Processing
Telecommuting/Virtual Office/Mail Technology
Portable Technology/Remote Connectivity
Workflow Technology
Security and Controls
Outsourcing to Application Service Providers.
All of these issues are security issues!
© Ajilon LLC., Proprietary & Confidential
14
How should today’s discussion be focused?
Major Security Issues
Organization
Policies & Procedures
Inappropriate Access
Malicious Code
Cyberterrorism
E-Commerce
Risk Management
Security Program
Changing Regulations
© Ajilon LLC., Proprietary & Confidential
15
Systems Security Briefing
Part IIIA
ISSUES DISCUSSION
© Ajilon LLC., Proprietary & Confidential
16
Security Issues Faced
Organization, Policy, or Procedure
Definition:
Increasing rate of environmental change
Limited applicability to Internet risk model
Limited awareness thwarts enforcement.
Support:
Most organizations lack comprehensive ISS
strategy
ISS accounts for less than 1% of total staff
Existing strategies are rarely balanced
Legal doctrine of inevitable disclosure
Security Quick Test.
© Ajilon LLC., Proprietary & Confidential
17
Security Issues Faced
Inappropriate Access (Local/Remote)
Definition:
Widespread proliferation of Internet connections,
wireless technologies, and mobile platforms, coupled
with societal changes have dramatically increased the
stakes involved in information protection.
Support3:
No unsuccessful “penetration studies”
Infoweek study concludes hacking costs world economy
$1.6T
Over 30% could not verify that they had not been
attacked.
“Script Kiddies”
© Ajilon LLC., Proprietary & Confidential
18
Security Issues Faced
Inappropriate Access (Local/Remote)
Realities of inability to design security from the
ground up. Have to accept dominant platforms
and their current level of security.
Microsoft’s business model:
Security is an afterthought
Business ROI/TCO often at odds with security.
Security Advisories (CERT Statistics):
Type
2001*
2000
1999
Email
39,181
56,365
34,612
Hotline
712
1,280**
2,099
Vulnerabilities
1,151
1090
417
Alerts
17
26
22
Incidents
15,476
21,756
9.859
*Through Q2 2001 **Decline represents use of alternative reporting channels not occurrence of incidents.
© Ajilon LLC., Proprietary & Confidential
19
Security Issues Faced
San Diego Experiment
Setup:
Will unpatched hosts be discovered?
San Diego Supercomputer Center set up a host not otherwise
used with Red Hat Linux 5.2 with no security patches installed on
machine. Monitoring was established to record traffic to and from
host.
Results:
8 hours – Probed for Solaris RPC vulnerability, not compromised
21 days – 20 exploits tried for vulnerabilities including POP, IMAP,
telnet, RPC, and MountD. Exploit attempts failed because they
were exploits for Red Hat 6.X
40 days – POP server vulnerability compromised, some system
logs wiped, and rootkit and sniffer installed.
See: http://worm.sdsc.edu for more information.
© Ajilon LLC., Proprietary & Confidential
20
Security Issues Faced
Viruses
Not all inappropriate access is by a person.
Malicious code is as real as ever
CRN reports cost of viruses tops $10B YTD
Top Viruses:
W32.Nimda.A@mm
W97M.Camino.A@mm
W32.Vote.A@mm
W32.Whiter.Trojan
X97M.Ellar.A
Backdoor.Slackbot.B
VBS.VBSWG.D@mm
Backdoor.Destiny
Backdoor.Litmus
W32/Ucon@MM
CodeRed caused $2.4
billion in cleanup.
[2001]
Nimda’s costs not yet
known.
Over 40 new malware threats since 9/11
© Ajilon LLC., Proprietary & Confidential
21
What are the issues?
E-Commerce Issues
Issues exist in several categories:
Application Functionality:
Application Design:
- Foundation Components
- Access Controls & Programming Practices
- Standardization
- Underlying Network Infrastructure.
Increasingly Stringent Requirements:
- Due Diligence
- Legislation
- Customer Expectations.
© Ajilon LLC., Proprietary & Confidential
22
What are the E-Commerce Design Parameters?
E-Commerce Design
Process Outweighs Technology:
Cost of Downtime in some cases now exceeds
$1M per hour.
Hard failures cause 20% unplanned downtime
Application Failures cause 40%
Operator Errors account for remaining 40%
Majority of failures are, therefore, ultimately a
management problem not solvable by early
warning tools such as IDS or by reliability
mechanisms such as hardware redundancy.
© Ajilon LLC., Proprietary & Confidential
23
What are the E-Commerce Design Parameters?
E-Commerce Design
Definition:
To ensure success, data must be safeguarded,
customer trust must be preserved, secure
payment schemes must be provided, and tools
must be appropriately used.
Empirical Evidence:
Placing too much trust on web server
Placing web server in wrong location
Improperly configured firewalls
SSL from browser to web server only, not N2N
Same for client side digital certificates
Disconnected logins – no N2N authentication
Not applying basic programming practices.
Over-dependence causes less emphasis on internal security
control.
© Ajilon LLC., Proprietary & Confidential
24
How did we get here?
Cyberterrorism
Specific types of potentially damaging
“cyberactivities”
Different sources and different targets
Different levels of risk for enterprises.
These types of activities include:
Hactivism
Cybercrime
Cyberterrorism.
© Ajilon LLC., Proprietary & Confidential
25
Are we speaking the same language
Terminology
Hactivism:
Hacking in the name of patriotism or similar “cause”
Cybercrime:
online criminal activity undertaken for financial gain. No new
types expected to emerge from 9/11, however activity has
risen and is expected to rise further as criminals attempt to
take advantage of perceived uncertainties in financial
systems.
Cyberterrorism:
computer-based crime intended to cause loss of life or
property in pursuit of political goals. Likely to increase and
will mostly target US Government facilities and infrastructure
centers. Overall, very few attacks will constitute true
cyberterrorism; these few attacks will, however, have the
potential to cause significant damage.
© Ajilon LLC., Proprietary & Confidential
26
Security Issues Faced
Industrial Espionage
Definition:
Directed efforts to obtain sensitive information
about the operations of a competitor through both
legal and questionable means.
Support:
1,100 documented incidents
Losses $300 Billion annually6
FBI forms High Tech Squad
US Attorney’s Office forms CHIP – Computer
Hacking and Intellectual Property unit.
© Ajilon LLC., Proprietary & Confidential
27
Security Issues Faced
Software Compliance
Definition:
The use of illegal copies of software, whether known
or not, exposes the organization to the threat of
viruses, legal action, and higher TCO.
Support:
Cost to US Companies $2.6B in lost sales
Cost of piracy settlements usually outweighs costs
incurred by a company using legitimate software
Fines up to $250K (up from $150K) per illegal copy
BSA investigated 500+ companies in 2000
BSA has collected $60M+ in fines over last 9 years
Vast majority of cases stem from hotline tips!
© Ajilon LLC., Proprietary & Confidential
28
Security Issues Faced
Government/Legal Sectors
Definition:
Organizations must continually monitor their external
environments for threats and opportunities emanating from
the Government and the courts.
Support:
Creation of computer crime units at Secret Service, FBI, and
Air Force.
Environment changes favoring prosecution.
Substantial new regulations pending or expected:
-
Federal Sentencing Guidelines
Economic Espionage Act of 1996
Creation/Extension of computer crime laws
Cybersecurity Act reintroduced to provide FOIA protections.
© Ajilon LLC., Proprietary & Confidential
29
Security Issues Faced
Government/Legal Sectors
Privacy:
Federal act not updated since 1974
55+ pieces of legislation now in Congress
States passing own legislation; States rights prevail
HIPAA/FSMA/COPPA/DPPA are only the beginning
EU Data Protection Directive.
Faxing destroys confidentiality
Insurance companies indexing premiums to risk.
Strategic Planning Presumptions:
- Consumers will pressure companies to adopt privacy policies
consistent with safe harbor practices, with or without specific
regulatory guidance
- Events of 11 September will probably result in legislation
usurping some privacy rights.
© Ajilon LLC., Proprietary & Confidential
30
What are some of the major pieces of recent Federal legislation?
Electronic Signatures in Global and National
Commerce Act (E-Sign)
Applicability
Contracts, agreements, or records entered into or
provided in, or affecting, interstate or foreign
commerce.
Provisions:
Commerce Dept. to promote electronic signatures
internationally by following certain principles:
-
Free markets and self-regulation vs. Gov’t standards
Technology-neutral policies
Parties to a transaction establish requirements
Legal validity not to be denied because signatures are not in
writing
- No foreign Gov’t imposition of standards on private industry.
© Ajilon LLC., Proprietary & Confidential
31
What are some of the major pieces of recent Federal legislation?
Health Insurance Portability and Accountability Act
(HIPAA)
Applicability:
A named HCO or if you electronically transmit (or
even store) patient identifiable medical
information.
Provisions:
DHHS to issue rule sets for:
- Standardization on Transactions and Code Sets
- Security, Privacy, and Electronic Signatures
- Standardization of Identifiers.
EDI and Privacy sets finalized.
© Ajilon LLC., Proprietary & Confidential
32
What about the States?
E-Crimes & Computer Piracy
Criminalizes Attempts To:
Gain intentional, willful, or excessive access
Cause malfunction or interruption
Alter, damage, or destroy
Possess, identify, or attempt to identify any valid access codes
Distribute or publicize any valid access codes to any
unauthorized person.
Establishes Penalties:
Access Violations – Misdemeanor and fines up to $1,000, up to 3
years in prison, or both:
DOS/Disclosure/Destruction:
- Losses < $10,000 – Misdemeanor; $5,000 / 5 years or both
- Losses > $10,000 – Felony; $10,000 / 10 years or both
© Ajilon LLC., Proprietary & Confidential
33
What about the States?
Maryland’s Data Security & Privacy Law
Stipulates:
Must have established need to create personal record
Personal Information collected must be:
- Appropriate
- Accurate and current
- Collected from person of interest.
Provide person of interest with:
-
Purpose for collection
Consequences of refusal
Right to inspect, amend, or correct
Degree and extent of availability.
Must post privacy policy
Establish/maintain records management program.
© Ajilon LLC., Proprietary & Confidential
34
Systems Security Briefing
Part IIIB
ISSUES RESOLUTION
© Ajilon LLC., Proprietary & Confidential
35
What should I do about it?
OP&P Recommendations
Recommendations:
Formalize organization and responsibilities
Establish accountability
- Business Owner Responsibility
- IT Coordination
- Authority for head of “Security” (e.g., CISO, CPO)
Classify and assign value to information assets
Review/Refine policies & procedures
Buy ISPME or similar product.
Support2:
Annual ISS budget to increase 20% for 2001
ISS Staffing to increase 15% for 2001
70% have at least 1 and as many as 4 FTEs dedicated to
security
82% in the US and 80% worldwide centralizing security
administration.
© Ajilon LLC., Proprietary & Confidential
36
What should I do about it?
Function/Design Recommendations
Organizational:
Establish a permanently funded program
- Assign a full time information security officer
- Assign a liaison in each business function
- Include policies and procedures in ISS program
- Develop an incident response capability.
Centralize Standardization and Coordination
Decentralized Application
Compartmentalize
Periodically reassess/audit network security
Link business processes with digital signatures for
user authorization.
© Ajilon LLC., Proprietary & Confidential
37
What should I do about it?
Function/Design Recommendations
Technical:
Prominently display messages explaining what
information is kept and how and why you ensure
its security.
Implement and properly configure controls:
- Encryption and authentication (i.e., SSL, SHTTP, Shen)
- Enterprise-wide directory services for authentication
- Establish end-to-end multi-factor authentication.
Download and run tools against your own network
Keep everything updated
Use vulnerability assessment tools (wisely)
Use IDS (both network and host based)
Don’t use technology to drive policy.
© Ajilon LLC., Proprietary & Confidential
38
What should I do about it?
Function/Design Recommendations
Procedural:
Invest in improving IT processes (e.g., change, configuration and
problem management, performance or capacity planning,
application architecture or design, and operator hiring or training).
Develop a requirements hierarchy
Develop/Adopt Standards
Comprehensive ISS posture assessment
Corrective action plans for unacceptable risks
Due care diligence for accepted risks
Value assignment to information assets
Proactive protection steps
Commensurate value countermeasures
Training and awareness
© Ajilon LLC., Proprietary & Confidential
39
What can I do about this?
Regulatory Recommendations
Technical
Monitor users
Create audit trails
Physical surveillance
Document.
Business:
Privacy Policy:
Be proactive
Participate in, but don’t rely on Government
Contact industry/trade groups.
Keep only what you need
Let customers know how and what you keep
Keep it secure
Give customers ability to “opt-in”
Give customers ability to view and correct data.
© Ajilon LLC., Proprietary & Confidential
40
What can I do about this?
Espionage Recommendations
-
-
Sweeps (Visual, Electronic, & Physical)
Standards/procedures for EEA compliance.
Integrate business intelligence into all
strategic activity.
Contact competitive intelligence vendors
People, People, People.
© Ajilon LLC., Proprietary & Confidential
41
What can I do about this?
Piracy Recommendations
-
Check sources of and register software
purchased
Issue comprehensive software mgmt.
policy
Organize software distribution and
management
Contact Software and Information Industry
Association (merger of SPA and IIA) or
BSA:
- GASP Audit Tool
- Guide to Software Management.
© Ajilon LLC., Proprietary & Confidential
42
What does network security entail?
Network Security Functions
Network Mapping
Vulnerability Analysis
Boundary Protection
Infrastructure Fortification
Intrusion Detection
Incident Response
Security Management (within Enterprise
Management Framework)
© Ajilon LLC., Proprietary & Confidential
43
Now that I’m connected…
E-Business Security Functions
Authentication
Authorization
Secure Data in Motion
Secure Data at Rest
Application Security
© Ajilon LLC., Proprietary & Confidential
44
Systems Security Briefing
Part IV
ACTION STEPS
© Ajilon LLC., Proprietary & Confidential
45
Putting it all Together
Programmatic Recommendations
To address all areas:
Continuous vigilance
Conduct an assessment of security maturity
Conduct an assessment of risk
Conduct a vulnerability assessment of networks
Prioritize areas for improvement
- Unacceptable risk to be addressed immediately
- Unacceptable risks with corrective action plans
- Acceptable risks with carefully reasoned defense
Mitigate Risk
Prepare incident response plan
Proactive Offensive
- Public Notification
- Regular/Triggered Reassessments
People, People, People
© Ajilon LLC., Proprietary & Confidential
46
In what areas would you like more detail?
Implementation Guidelines
Tailored Discussion:
Define Steps to Build a Security Program
Create an Information Security Policy
Create an Information Categorization Scheme
Define Basic Security Roles/Profiles
Define Steps/Actions to Comply with Laws
Define a Posture Assessment Process
Define Risk Assessment Process
Create a Risk Management Policy
Define an E-Commerce Requirements Hierarchy
Define an E-Commerce Model/Architecture
Recommend Point Product Solutions.
© Ajilon LLC., Proprietary & Confidential
47
Where do I start?
Enterprise Integration
Steps to Build The Program:
Identify initial roles and responsibilities
Define the organization reporting structure
Define remaining roles and responsibilities
Define a process for identifying/assigning owners
Determine services to be provided
Implement SLAs with the businesses
Review &
Enhance
Define staffing requirements
Dedicate personnel to these functions
Perform training and awareness.
INFORMATION
Training &
Awareness
Assess Risk
Change
Implement
© Ajilon LLC., Proprietary & Confidential
48
Where do I start with Policy?
Policy
Basic Statement of Policy:
Information is an asset, is deemed to have value, and as
such should be provided with a level of protection
commensurate with its value.
Characteristics of an Effective Policy:
Intent – Define the purpose of the policy.
Authority – Person/organization authorizing policy.
Responsibilities – “Protecting the information assets of the organization is
the responsibility of each and every employee”.
Scope – Define the boundaries within the organization to which the policy
shall apply (People, Process, and Platform).
Procedures – “Information is to be classified based on value, sensitivity, risk
of loss, and legal and retention requirements.”
Compliance – Specify how policy will be enforced and how compliance will
be measured.
Standing – When policy takes effect and the duration for which it is valid.
Rationale – Explain why the policy was developed.
References – Incorporate policies by reference
© Ajilon LLC., Proprietary & Confidential
49
What do I want to make sure to include?
Expanded Policy Statement
All information, regardless of its form or format, that is created or
used in support of organizational business activities is corporate
information.
Corporate information is deemed to have value, is a company asset,
and must be protected starting with its creation, throughout its
useful life, and ending with its authorized disposal.
Information security is the responsibility of every member of the
organization and positive steps must be taken to prevent
unauthorized or improper access, disclosure, modification, or
destruction of information assets.
Furthermore, information shall be maintained in a secure, accurate,
and reliable manner and be readily available for authorized use.
Information shall be classified based on its sensitivity, legal, and
retention requirements, and type of access required by employees
and other authorized personnel.
Finally, information assets may only be used for managementapproved purposes, and management reserves the right to inspect
its information assets and their use at any time.
© Ajilon LLC., Proprietary & Confidential
50
What would be a basic approach?
Single Factor Classification
Sensitivity:
Refers to the damage potential associated with the
unauthorized use or disclosure of an information asset.
Four-Tier Scheme:
Public – Information made available for public distribution through authorized
channels. This is information, that if disclosed outside, would not harm the
organization, our employees, customers, or business partners.
Internal Use – Information intended for use by all employees when conducting our
business. Thus, this information is not sensitive to disclosure within the company,
but could harm us if disclosed externally.
Restricted – Information intended for use by a subset of our employees when
conducting company business. This information would not only cause harm if
disclosed externally, but could also cause harm if disclosed inappropriately within.
Confidential – Information that, if disclosed, could violate privacy of individuals,
reduce our competitive advantage, or cause damage to our organization. This is
sensitive information to which access is only granted on a “need to know” basis.
© Ajilon LLC., Proprietary & Confidential
51
What must I do if I expect to take advantage of new laws?
Computer Crimes
Be Prepared To Answer:
Has this happened before?
What do you want law/prosecutors to do?
Was there any delay in reporting the event?
Do you know what failed and why?
Have you started your own investigation?
Have you identified a potential suspect?
Can you quantify and document the loss?
Do accurate records of what happened exist?
Will you prosecute?
© Ajilon LLC., Proprietary & Confidential
52
What should/must I do to address Privacy Requirements/Expectations?
Privacy Policies & Data Security
Action Items:
Keep only what data is required
Let customers know what data you keep
Keep entrusted data secure
Give customers ability to “opt-in”
Give ability to view and correct data.
Informed consent privacy statement
Let customers know how you capture
data (i.e., specify purpose and life span
of cookies).
SAFE HARBOR
PRINCIPLES:
Notice
Choice
Onward Transfer
Security
Data Integrity
Access
Enforcement
Other:
Bind third parties to “Chain of Trust”
Check where, what, and how third
parties gather anonymous profile data.
© Ajilon LLC., Proprietary & Confidential
53
How can I go about doing periodic assessments
Methodology
Security Maturity Model©
© Ajilon LLC., Proprietary & Confidential
54
Tell me more
Methodology
10 Key Practice Areas:
1. Data Security
2. Security Program Assessment
3. Security Program Management
4. Technical Security
6. System/User Access
7. Risk Management
8. Personnel Security
9. Contractor/Procurement Security
© Ajilon LLC., Proprietary & Confidential
5. Security Awareness and Training
10. Data Operations Center
Security
12 Assessment Values:
Not Assessed
Not Performed
Under Consideration
Initial Planning (Not yet
Funded)
Plan to Implement (Funded)
Partial Implementation
Barely Adequate
Room To Improve
Satisfactory
Operating Well
Fully Implemented
Best Practice.
Sources:
Specific Test
Direct Observation
Written Documentation
Direct Report
Indirect Report.
55
How can I assess risk?
Risk Analysis Framework
Impact
Hardware
Software
1
1
Data
Likelihood
Natural
Environmental
3
1
1
Accidental
Human
1
© Ajilon LLC., Proprietary & Confidential
3
1
2
Intentional
Human
1
1
2
2
2
2
3
3
1
1
3
3
1
2
2
56
How can I best ensure reuse?
Risk Management Policy
Goal:
Guidelines upon which action can be taken by
information owners.
Policy:
Risk Analyses will be conducted on a
routine/periodic basis no less than once per year.
Risk Analyses will be conducted as part of every
major business decision (begs definition).
Defined process will be followed and action taken
Low
Moderate
High
Negligible
Acceptable
Acceptable
Acceptable
Unlikely
Acceptable
Acceptable
Unacceptable
Probable
Acceptable
Unacceptable
Unacceptable
Highly Probable
Acceptable
Unacceptable
Unacceptable
Critical
Acceptable
Unacceptable
Unacceptable
Immediate
Response
© Ajilon LLC., Proprietary & Confidential
Almost Certain
Acceptable
Unacceptable
Immediate
Response
Immediate
Response
57
Systems Security Briefing
Part V
SUMMARY & CONCLUSION
© Ajilon LLC., Proprietary & Confidential
58
Putting it all Together
Summary
Axioms to Keep In Mind:
Security and complexity are often inversely proportional
Security and usability are often inversely proportional
Good security now is better than perfect security later
(i.e., never)
A false sense of security is worse than a true sense of
insecurity
Your security is only as strong as your weakest link
It is best to concentrate on known, probable threats
Security is an investment, not an expense.
© Ajilon LLC., Proprietary & Confidential
59
Where do I go from here?
Conclusion
Thank you for this opportunity
We welcome any questions you have
Suggested Next Steps:
Assemble a planning team to determine your needs
Keep asking yourself “Is there a business requirement?”
Identify and define threats, vulnerabilities, and risks
Create and/or review/refine your underlying security policy
Create and/or review/refine your security architecture
Create and/or review/refine an incident response capability
Create and/or review/refine an acceptable use policy
Refine systems policies and administration procedures.
© Ajilon LLC., Proprietary & Confidential
60
Where can I go to get more information?
References
SOURCE
Computer Security Institute
Software & Information Industry Association
Business Software Alliance
Electronic Privacy Information Center
Security Portal
Cooperative Intrusion Detection Evaluation & Response
Security Magazine
BlackICE
Government Security Portal
Computer Emergency Response Team
Systems and Network Security
National Infrastructure Protection Center
United States Secret Service
Bureau of Alcohol, Tobacco & Firearms
Federal Bureau of Investigation
Federal Trade Commission
Internet Fraud Complaint Center
US Postal Inspection Service
© Ajilon LLC., Proprietary & Confidential
ADDRESS
www.gocsi.com
www.siia.net
www.bsa.org
www.epic.org
www.securityportal.com
www.nswc.navy.mil/ISSEC/CID/
www.infosecnews.com
www.networkice.com
www.fedcirc.gov
www.cert.org
www.sans.org
www.fbi.gov/nipc or (202)-323-3205
www.treas.gov/usss (202) 435-5850
www.atf.treas.gov
www.fbi.gov
www.ftc.gov
www.ifccfbi.gov
www.usps.gov/postalinspectors
* Use at your own risk
61
Where can I go to get more information?
References*
SOURCE
Phrack Magazine
The L0pht
Cult of the Dead Cow
Hack Factor X
The Codex
Def Con
The Happy Hacker
Rootshell
2600 Magazine
ADDRESS
www.phrack.com
www.l0pht.com
www.cultdeadcow.com
www.hfactorx.org
www.thecodex.com
www.defcon.org
www.happyhacker.org
http://rootshell.com
www.2600.com
* These are “hacker” sites that you use at your own risk. If you are going to access these
sites, we encourage you to do so from a stand-alone computer that has no sensitive data
or purpose and you can afford to have destroyed.
© Ajilon LLC., Proprietary & Confidential
62
Where can I get more information?
Contact Information
Ms. Chris Wallace
District Manager; Baltimore
410-828-0788
[email protected]
Mr. John Keefauver
Account Manager
410-828-0788
[email protected]
Mr. Jason B. Taule CMC, CPCM
Global Director; ISS Practice
800-995-6277
[email protected]
Mr. Randy Meyers, GIAC
Director; Network Security Services
443-280-0272
[email protected]
© Ajilon LLC., Proprietary & Confidential
63