Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information.

Published byJoseph Perez Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information."— Presentation transcript:

1 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information Assurance Dept. Computer Information Systems Norwich University, Northfield, VT mkabay@norwich.edu http://www2.norwich.edu/mkabay/index.htm

2 2 Copyright © 2002 M. E. Kabay. All rights reserved. Topics Policy, Power & Position Training and Awareness Hiring, Management and Firing System Administration Security Evaluations

3 3 Copyright © 2002 M. E. Kabay. All rights reserved. Policy, Power & Position Policies must be living documents Assign responsibility for security CISO as equal of CEO, CFO... Status must not equal access Compliance depends on top-level support

4 4 Copyright © 2002 M. E. Kabay. All rights reserved. Training and Awareness Training and awareness are not single events Social engineering can be fought only by awareness and preparation Constant learning is essential Formal courses & conferences Web-based courses Free resources on Web Textbooks, magazines Videofilms and DVDs In-house courses from experts

5 5 Copyright © 2002 M. E. Kabay. All rights reserved. Hiring, Management and Firing Hiring Check background carefully Have candidates interviewed by future colleagues Management Sensitive to changes in behavior Enforce vacations Firing Shut down access Retrieve corporate property

6 6 Copyright © 2002 M. E. Kabay. All rights reserved. System Administration Establish Effective Security Configurations Maintain Software Detect Security Breaches Respond Intelligently to Incidents

7 7 Copyright © 2002 M. E. Kabay. All rights reserved. Establish Effective Security Configurations Default configurations often inadequate Firewalls need to implement thought-out policy Network topology should reflect needs for data partition Adapt network security to changing needs Evaluate anti-DDoS tools

8 8 Copyright © 2002 M. E. Kabay. All rights reserved. Maintain Software Single most important problem: known vulnerabilities Consult or subscribe to alerts CERT/CC http://www.cert.org Bundesammt für Sicherheit in der Informationstechnik (BSI) http://www.bsi.bund.de/ Common Vulnerabilities and Exposures Database (CVE) ICAT Metabase http://icat.nist.gov/icat.cfm

9 9 Copyright © 2002 M. E. Kabay. All rights reserved. BSI http://www.bsi.bund.de/

10 10 Copyright © 2002 M. E. Kabay. All rights reserved. ICAT / CVE http://icat.nist.gov/icat.cfm

11 11 Copyright © 2002 M. E. Kabay. All rights reserved. Detect Security Breaches Quick response is valuable and economical Intrusion detection systems (IDS) Not cheap Learn / define normal patterns Identify anomalies Allow human response Total cost of acquisition, tuning and management can be high But cost of undetected & uncontrolled penetration can be higher

12 12 Copyright © 2002 M. E. Kabay. All rights reserved. Respond Intelligently to Incidents IDS useless without effective response plan Computer Emergency Response Team Also known as Incident Response Team Complex and expensive planning Involvement from throughout organization Most experienced personnel essential Link CERT/IRT to DRP and BCP DRP = disaster recovery plan BCP = business continuity plan May choose to use honeypots System to delay intruder, study behavior

13 13 Copyright © 2002 M. E. Kabay. All rights reserved. Security Evaluations Developing security policies may be too hard Use existing guides May use external help to reduce time spent by expensive employees Checking security may be best done by outsiders Editing text is best done by someone else Checking program source code is best done by another programmer Need to find trustworthy experts Beware those who hire criminal hackers Should test only after development & training

14 14 Copyright © 2002 M. E. Kabay. All rights reserved. DISKUSSION

Download ppt "1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information."

Similar presentations

1 Copyright © 2005 M. E. Kabay. All rights reserved. 15:30-16:00 INFORMATION WARFARE Part 4: Assignment Advanced Course in Engineering 2005 Cyber Security.

1 Copyright © 2005 M. E. Kabay. All rights reserved. 15:30-16:00 INFORMATION WARFARE Part 4: Assignment Advanced Course in Engineering 2005 Cyber Security.
1 Copyright © 2007 M. E. Kabay. All rights reserved. Using the TRACK CHANGES Features in MS-Word M. E. Kabay, PhD, CISSP-ISSMP CTO & Program Director,

1 Copyright © 2007 M. E. Kabay. All rights reserved. Using the TRACK CHANGES Features in MS-Word M. E. Kabay, PhD, CISSP-ISSMP CTO & Program Director,
Database Design (1) IS 240 – Database Management Lecture #10 – 2004-03-16 Prof. M. E. Kabay, PhD, CISSP Norwich University

Database Design (1) IS 240 – Database Management Lecture #10 – Prof. M. E. Kabay, PhD, CISSP Norwich University
E-R Model (1) IS 240 – Database Management Lecture #5 – 2004-01-29 Prof. M. E. Kabay, PhD, CISSP Norwich University

E-R Model (1) IS 240 – Database Management Lecture #5 – Prof. M. E. Kabay, PhD, CISSP Norwich University
Introduction to the Course IS301 – Software Engineering Lecture #1 – 2003-08-26 M. E. Kabay, PhD, CISSP Assoc. Prof. Information Assurance Division of.

Introduction to the Course IS301 – Software Engineering Lecture #1 – M. E. Kabay, PhD, CISSP Assoc. Prof. Information Assurance Division of.
Working with MS-ACCESS IS 240 – Database Management Lecture #2 – 2004-01-20 Assoc. Prof. M. E. Kabay, PhD, CISSP Norwich University

Working with MS-ACCESS IS 240 – Database Management Lecture #2 – Assoc. Prof. M. E. Kabay, PhD, CISSP Norwich University
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Software Testing IS301 – Software.

1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Software Testing IS301 – Software.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.

FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
1 Secure Online Presence Savio Fernandes

1 Secure Online Presence Savio Fernandes
IT Security Assurance Management of Network and User Behavior Budi Rahardjo INDOCISC - ID-CERT -

IT Security Assurance Management of Network and User Behavior Budi Rahardjo INDOCISC - ID-CERT -
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Appexigo Technologies www.appexigotech.com. Human capital is increasingly being acknowledged as the most important investment for any company. Finding.

Appexigo Technologies Human capital is increasingly being acknowledged as the most important investment for any company. Finding.
The Office Procedures and Technology

The Office Procedures and Technology
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 12, 2014 DRAFT1.
© Prentice Hall 2002 15.1 CHAPTER 15 Managing the IS Function.

© Prentice Hall CHAPTER 15 Managing the IS Function.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security and Personnel

Security and Personnel
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Similar presentations

Ads by Google