Presentation on theme: "The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP."— Presentation transcript:
The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP
Potomac Consulting Group www.potomac.com Don Philmlee - firstname.lastname@example.org email@example.com
What this section will cover Perceived vs. Real Threats What your firm can do Assessing assets and risk What are some firms doing?
Perception vs. Reality PerceptionReality Good security is achieved by using the right technology. Good security is achieved by good policies, procedures, educated users, understanding your assets and your risks as well as technology. Our real security problem comes from external sources Most security problems come from within – employees. Our client information cannot be at risk. Our security has to be 100%. Using a computer is a matter of accepting risk – the question is how much risk is acceptable and how well can it be minimized.
Cautions More out there then your firm can contend with Dont buy into fear mongering Easy to squander a security budget
Security Perceptions PerceptionReality UserSecurity is not my responsibility. Users are at the very heart how a firms security is implemented and can be the cause of success or failure of security controls. ITWe do what we can, but we dont get the money or support to lock everything down. You dont have to lock everything down tight, just the assets that are most valuable and at the most risk. Mgmt often provides little guidance here. MgmtSecurity is handled by my IT department. We did an audit two years ago and came up clean. Security is a mgmt issue and should be driven from the top down. Mgmt needs to know what security controls are in effect now.
What can you do? Security is attainable Organize your response Follow the concepts of Due Care / Due Diligence Security should be driven by management not the technicians Defend only what you need to Integrate your people, process and technology
Assess Your Systems Identify what does your firm values most: –Email –Document stores –Personnel database –Remote access –Client extranet –Etc.
Quantify Your Assets Assign a financial value to each asset. eg: –Cost to Build –Cost to Protect –Value to Competition –Cost to Recover
Evaluate Potential Risks Realistically decide what are the likely problems you may face. eg: –Hurricane –Terrorist attack –Hacker –Disgruntled employee –(basic disaster recovery planning)
Classic Risk Assessment Determine a quantitative value of qualitative assets. This is one approach to valuation using the CIA triad: ConfidentialityIntegrityAvailabilityValue Email 3238 Client files 3216 Lit Supp DB 3126 Recruiting DB 2114 High=3 Medium=2 Low=1
Now, Create a Plan of Action Administrative Controls –Security Policies & Procedures –Security Awareness Training Technical Controls –Quality Passwords –Workstation Lockdown –Etc. Physical Controls –Intrusion Detection –Locks –Etc.
Security is NOT a one-time effort Systems are dynamic Evaluate the implementation Vulnerability scanning External 3 rd party assessments
Regularly Review Asset Security Just as financial systems are audited regularly, information systems should be audited on a regular basis as well Should be done once or twice a year or as technology changes are made
What are Most Firms Doing? Pay too much attention to the external problems Not enough attention to internal problems Not making security a management process.
Often Ignored Problems Workstation Lockdown Workstation Standardization Quality Passwords Laptop Security Home Networks Poorly done Security Policies Little or no Security Awareness Training
Workstation Lockdown / Standards Workstations should be Business Computers NOT Personal Computers Effective, but not popular Users download from the Internet Spyware has become a big problem Root Kits / Trojans / Worms
Quality Passwords Passwords are the keys to the kingdom First layer of user security They are NOT often taken seriously Use passphrases not passwords 8 character passwords are good, but 15 (or more) character passwords are better
Conclusions Security is an attainable goal Security has fast become a priority Challenge is to determine the best and most appropriate solution for your needs. Integrate your people, process and technology into security Security needs become part of your firms culture
Resources SANS Institute – www.sans.orgwww.sans.org CERT – www.cert.orgwww.cert.org CISecurity – www.cisecurity.orgwww.cisecurity.org Microsoft – www.microsoft.com/securitywww.microsoft.com/security
Questions? Potomac Consulting Group www.potomac.com Don Philmlee, CISSP firstname.lastname@example.org www.potomac.com email@example.com