The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP.

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Ethics, Privacy and Information Security
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Security Controls – What Works
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lecture 10 Security and Control.
Lecture 10 Security and Control.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Introducing Computer and Network Security
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
Computer Security: Principles and Practice
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Introduction to Network Defense
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Information Security Information Technology and Computing Services Information Technology and Computing Services
People Who Change the World Need the Tools to Do it! Holly Ross, Executive Director Security Matters It’s not about the network.
Securing Information Systems
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Business Continuity and Disaster Recovery Chapter 8 Part 1 Pages 897 to 914.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
Note1 (Admi1) Overview of administering security.
Information Security What is Information Security?
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Chapter 2 Securing Network Server and User Workstations.
Small Business Security Keith Slagle April 24, 2007.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Introduction to Information Security
Scott Charney Cybercrime and Risk Management PwC.
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Chap1: Is there a Security Problem in Computing?.
The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Computer Security By Duncan Hall.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Risk management.
Compliance with hardening standards
Unit 7 – Organisational Systems Security
I have many checklists: how do I get started with cyber security?
Implementing Client Security on Windows 2000 and Windows XP Level 150
Security week 1 Introductions Class website Syllabus review
Cybersecurity Threat Assessment
Presentation transcript:

The Whole/Hole of Security A Consultants Perspective August 25, 2004 Potomac Consulting Group Don Philmlee, CISSP

Potomac Consulting Group Don Philmlee -

What this section will cover Perceived vs. Real Threats What your firm can do Assessing assets and risk What are some firms doing?

Perception vs. Reality PerceptionReality Good security is achieved by using the right technology. Good security is achieved by good policies, procedures, educated users, understanding your assets and your risks as well as technology. Our real security problem comes from external sources Most security problems come from within – employees. Our client information cannot be at risk. Our security has to be 100%. Using a computer is a matter of accepting risk – the question is how much risk is acceptable and how well can it be minimized.

Cautions More out there then your firm can contend with Dont buy into fear mongering Easy to squander a security budget

Security Perceptions PerceptionReality UserSecurity is not my responsibility. Users are at the very heart how a firms security is implemented and can be the cause of success or failure of security controls. ITWe do what we can, but we dont get the money or support to lock everything down. You dont have to lock everything down tight, just the assets that are most valuable and at the most risk. Mgmt often provides little guidance here. MgmtSecurity is handled by my IT department. We did an audit two years ago and came up clean. Security is a mgmt issue and should be driven from the top down. Mgmt needs to know what security controls are in effect now.

What can you do? Security is attainable Organize your response Follow the concepts of Due Care / Due Diligence Security should be driven by management not the technicians Defend only what you need to Integrate your people, process and technology

Visualize Your Security Layers

Assess Your Systems Identify what does your firm values most: – –Document stores –Personnel database –Remote access –Client extranet –Etc.

Quantify Your Assets Assign a financial value to each asset. eg: –Cost to Build –Cost to Protect –Value to Competition –Cost to Recover

Evaluate Potential Risks Realistically decide what are the likely problems you may face. eg: –Hurricane –Terrorist attack –Hacker –Disgruntled employee –(basic disaster recovery planning)

Classic Risk Assessment Determine a quantitative value of qualitative assets. This is one approach to valuation using the CIA triad: ConfidentialityIntegrityAvailabilityValue Client files 3216 Lit Supp DB 3126 Recruiting DB 2114 High=3 Medium=2 Low=1

Now, Create a Plan of Action Administrative Controls –Security Policies & Procedures –Security Awareness Training Technical Controls –Quality Passwords –Workstation Lockdown –Etc. Physical Controls –Intrusion Detection –Locks –Etc.

Security is NOT a one-time effort Systems are dynamic Evaluate the implementation Vulnerability scanning External 3 rd party assessments

Regularly Review Asset Security Just as financial systems are audited regularly, information systems should be audited on a regular basis as well Should be done once or twice a year or as technology changes are made

What are Most Firms Doing? Pay too much attention to the external problems Not enough attention to internal problems Not making security a management process.

Often Ignored Problems Workstation Lockdown Workstation Standardization Quality Passwords Laptop Security Home Networks Poorly done Security Policies Little or no Security Awareness Training

Workstation Lockdown / Standards Workstations should be Business Computers NOT Personal Computers Effective, but not popular Users download from the Internet Spyware has become a big problem Root Kits / Trojans / Worms

Quality Passwords Passwords are the keys to the kingdom First layer of user security They are NOT often taken seriously Use passphrases not passwords 8 character passwords are good, but 15 (or more) character passwords are better

Laptop Security Hotels / Home Networks Dsniff / webspy / spectorsoft / wireless sniffers Personal Firewalls (XP SP2) Encrypted Files (EFS)

Conclusions Security is an attainable goal Security has fast become a priority Challenge is to determine the best and most appropriate solution for your needs. Integrate your people, process and technology into security Security needs become part of your firms culture

Resources SANS Institute – CERT – CISecurity – Microsoft –

Questions? Potomac Consulting Group Don Philmlee, CISSP

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.