Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.

Published byMary Gomez Modified over 10 years ago

Similar presentations

Presentation on theme: "The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP."— Presentation transcript:

1 The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP

2 Potomac Consulting Group www.potomac.com Don Philmlee - don@potomac.com www.potomac.comdon@potomac.com

3 What this section will cover Perceived vs. Real Threats What your firm can do Assessing assets and risk What are some firms doing?

4 Perception vs. Reality PerceptionReality Good security is achieved by using the right technology. Good security is achieved by good policies, procedures, educated users, understanding your assets and your risks as well as technology. Our real security problem comes from external sources Most security problems come from within – employees. Our client information cannot be at risk. Our security has to be 100%. Using a computer is a matter of accepting risk – the question is how much risk is acceptable and how well can it be minimized.

5 Cautions More out there then your firm can contend with Dont buy into fear mongering Easy to squander a security budget

6 Security Perceptions PerceptionReality UserSecurity is not my responsibility. Users are at the very heart how a firms security is implemented and can be the cause of success or failure of security controls. ITWe do what we can, but we dont get the money or support to lock everything down. You dont have to lock everything down tight, just the assets that are most valuable and at the most risk. Mgmt often provides little guidance here. MgmtSecurity is handled by my IT department. We did an audit two years ago and came up clean. Security is a mgmt issue and should be driven from the top down. Mgmt needs to know what security controls are in effect now.

7 What can you do? Security is attainable Organize your response Follow the concepts of Due Care / Due Diligence Security should be driven by management not the technicians Defend only what you need to Integrate your people, process and technology

8 Visualize Your Security Layers

9 Assess Your Systems Identify what does your firm values most: –Email –Document stores –Personnel database –Remote access –Client extranet –Etc.

10 Quantify Your Assets Assign a financial value to each asset. eg: –Cost to Build –Cost to Protect –Value to Competition –Cost to Recover

11 Evaluate Potential Risks Realistically decide what are the likely problems you may face. eg: –Hurricane –Terrorist attack –Hacker –Disgruntled employee –(basic disaster recovery planning)

12 Classic Risk Assessment Determine a quantitative value of qualitative assets. This is one approach to valuation using the CIA triad: ConfidentialityIntegrityAvailabilityValue Email 3238 Client files 3216 Lit Supp DB 3126 Recruiting DB 2114 High=3 Medium=2 Low=1

13 Now, Create a Plan of Action Administrative Controls –Security Policies & Procedures –Security Awareness Training Technical Controls –Quality Passwords –Workstation Lockdown –Etc. Physical Controls –Intrusion Detection –Locks –Etc.

14

15 Security is NOT a one-time effort Systems are dynamic Evaluate the implementation Vulnerability scanning External 3 rd party assessments

16 Regularly Review Asset Security Just as financial systems are audited regularly, information systems should be audited on a regular basis as well Should be done once or twice a year or as technology changes are made

17 What are Most Firms Doing? Pay too much attention to the external problems Not enough attention to internal problems Not making security a management process.

18 Often Ignored Problems Workstation Lockdown Workstation Standardization Quality Passwords Laptop Security Home Networks Poorly done Security Policies Little or no Security Awareness Training

19 Workstation Lockdown / Standards Workstations should be Business Computers NOT Personal Computers Effective, but not popular Users download from the Internet Spyware has become a big problem Root Kits / Trojans / Worms

20 Quality Passwords Passwords are the keys to the kingdom First layer of user security They are NOT often taken seriously Use passphrases not passwords 8 character passwords are good, but 15 (or more) character passwords are better

21 Laptop Security Hotels / Home Networks Dsniff / webspy / spectorsoft / wireless sniffers Personal Firewalls (XP SP2) Encrypted Files (EFS)

22 Conclusions Security is an attainable goal Security has fast become a priority Challenge is to determine the best and most appropriate solution for your needs. Integrate your people, process and technology into security Security needs become part of your firms culture

23 Resources SANS Institute – www.sans.orgwww.sans.org CERT – www.cert.orgwww.cert.org CISecurity – www.cisecurity.orgwww.cisecurity.org Microsoft – www.microsoft.com/securitywww.microsoft.com/security

24 Questions? Potomac Consulting Group www.potomac.com Don Philmlee, CISSP don@potomac.com www.potomac.com don@potomac.com

Download ppt "The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Security Controls – What Works

Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lecture 10 Security and Control.

Lecture 10 Security and Control.
Lecture 10 Security and Control.

Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introducing Computer and Network Security

Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Similar presentations

Ads by Google