Transcript The Whole/Hole of Security

The Whole/Hole of Security
A Consultant’s Perspective
August 25, 2004
Potomac Consulting Group
Don Philmlee , CISSP
Potomac Consulting Group
www.potomac.com
Don Philmlee - [email protected]
What this section will cover
•
•
•
•
Perceived vs. Real Threats
What your firm can do
Assessing assets and risk
What are some firms doing?
Perception vs. Reality
Perception
Reality
Good security is achieved by
using the right technology.
Good security is achieved by
good policies, procedures,
educated users, understanding
your assets and your risks as well
as technology.
Our real security problem comes
from external sources
Most security problems come
from within – employees.
Our client information cannot be
at risk. Our security has to be
100%.
Using a computer is a matter of
accepting risk – the question is
how much risk is acceptable and
how well can it be minimized.
Cautions
• More out there then your firm can contend with
• Don’t buy into fear mongering
• Easy to squander a security budget
Security Perceptions
Perception
User
IT
Reality
“Security is not my
responsibility. “
Users are at the very heart how a
firm’s security is implemented and
can be the cause of success or
failure of security controls.
We do what we can, but we You don’t have to lock everything
don’t get the money or
down tight, just the assets that are
support to lock everything most valuable and at the most risk.
down.
Mgmt often provides little
guidance here.
Mgmt Security is handled by my
IT department. We did an
audit two years ago and
came up clean.
Security is a mgmt issue and
should be driven from the top
down. Mgmt needs to know what
security controls are in effect now.
What can you do?
•
•
•
•
Security is attainable
Organize your response
Follow the concepts of Due Care / Due Diligence
Security should be driven by management not
the technicians
• Defend only what you need to
• Integrate your people, process and technology
Visualize Your Security Layers
Assess Your Systems
• Identify what does your firm values most:
–
–
–
–
–
–
Email
Document stores
Personnel database
Remote access
Client extranet
Etc.
Quantify Your Assets
• Assign a financial value to each asset.
eg:
–
–
–
–
Cost to Build
Cost to Protect
Value to Competition
Cost to Recover
Evaluate Potential Risks
• Realistically decide what are the likely problems
you may face. eg:
–
–
–
–
–
Hurricane
Terrorist attack
Hacker
Disgruntled employee
(basic disaster recovery planning)
Classic Risk Assessment
•
•
Determine a quantitative value of qualitative assets.
This is one approach to valuation using the CIA triad:
Confidentiality
Integrity
Availability
Value
Email
3
2
3
8
Client files
3
2
1
6
Lit Supp DB
3
1
2
6
Recruiting
DB
2
1
1
4
High= 3
Medium= 2
Low= 1
Now, Create a Plan of Action
• Administrative Controls
– Security Policies & Procedures
– Security Awareness Training
• Technical Controls
– Quality Passwords
– Workstation Lockdown
– Etc.
• Physical Controls
– Intrusion Detection
– Locks
– Etc.
Security is NOT a one-time effort
•
•
•
•
Systems are dynamic
Evaluate the implementation
Vulnerability scanning
External 3rd party assessments
Regularly Review Asset Security
• Just as financial systems are audited regularly,
information systems should be audited on a
regular basis as well
• Should be done once or twice a year or as
technology changes are made
What are Most Firms Doing?
• Pay too much attention to the external problems
• Not enough attention to internal problems
• Not making security a management process.
Often Ignored Problems
•
•
•
•
•
•
•
Workstation Lockdown
Workstation Standardization
Quality Passwords
Laptop Security
Home Networks
Poorly done Security Policies
Little or no Security Awareness Training
Workstation Lockdown / Standards
• Workstations should be
Business Computers NOT Personal Computers
• Effective, but not popular
• Users download from the Internet
• Spyware has become a big problem
• Root Kits / Trojans / Worms
Quality Passwords
•
•
•
•
•
Passwords are the keys to the kingdom
First layer of user security
They are NOT often taken seriously
Use passphrases not passwords
8 character passwords are good, but 15 (or more)
character passwords are better
Laptop Security
• Hotels / Home Networks
• Dsniff / webspy / spectorsoft / wireless sniffers
• Personal Firewalls (XP SP2)
• Encrypted Files (EFS)
Conclusions
• Security is an attainable goal
• Security has fast become a priority
• Challenge is to determine the best and most
appropriate solution for your needs.
• Integrate your people, process and technology
into security
• Security needs become part of your firm’s
culture
Resources
•
•
•
•
SANS Institute – www.sans.org
CERT – www.cert.org
CISecurity – www.cisecurity.org
Microsoft – www.microsoft.com/security
Questions?
Potomac Consulting Group
www.potomac.com
Don Philmlee, CISSP
[email protected]