190 likes | 355 Views
Managing Security for our Mobile Technology. Security Management Purpose. Protection of Assets Protection of Services Prevention of Fraud Overall protection of revenue. Content. Physical Security Infrastructure Security Responding to Emergencies. Two Areas of Security. Physical
E N D
Security Management Purpose • Protection of Assets • Protection of Services • Prevention of Fraud • Overall protection of revenue
Content • Physical Security • Infrastructure Security • Responding to Emergencies
Two Areas of Security • Physical • Base stations • Data centres • Network sites • Network/Platform Infrastructure • Servers • Routers • Firewalls
Corporate Strategies – Physical Security • Managed access • Managing who has the right to access • Security monitoring • Monitoring priority sites through cameras and electronic access • Fences, keys, alarming • Securing the perimeter to prevent access • Site security auditing • Ensuring compliance to security policy • Guard monitoring
The Infrastructure Security Posture Every Way In WORM WORM WORM WORM WORM ATTACK
Corporate Strategies – Infrastructure Security • Establish security policies • Security alert methods • Dedicated centre of excellence for IT/IP security mgt • Vulnerability management processes • Security incident management processes • Intrusion detection
Today's Organizational IssuesManagement of Infrastructure Security • Increase of skills in hacking and fraudulent tools and techniques • Protecting what you don’t know (understanding the risk) • Cost of managing security • Ability for organizations to act • Complexity of our infrastructure • Increasing identification of vulnerabilities • Recognition and support by senior management of security management
Defense in Depth • Protect at all levels • Focus on depth in setting up defense • Apply security technology at all layers • Apply security principles and processes at all layers
Code Red Propagation July 19, midnight - 159 hosts infected
Code Red Propagation (cont’d) July 19, 11:40 am - 4,920 hosts infected
Code Red Propagation (cont’d) July 20, midnight - 341,015 hosts infected
Technical knowledge required Threat Capabilities:More Dangerous and Easier to Use Internet Worms Packet Forging/ Spoofing High Stealth Diagnostics DDoS Sweepers Back Doors Sophistication of hacker tools Sniffers Exploiting Known Vulnerabilities Disabling Audits Self Replicating Code Password Cracking Password Guessing Low 1980 1990 2000
Cost of Poor Security Type of Crime 2002 2003 Unauthorized Privileged Access $ 106K $322K +300% Financial fraud $ 807K $3.5M +430% Telecommunications Fraud $ 101K $415K +410% Web Defacement $ - $58K - Denial of service $ 181K $397K +220% Virus, Worm, Trojan Infection $ 891K $2.2M +245% Unauthorized Insider Access $ 145K $262K +180% • TOTAL $ 2.2M $7.1M +320% • Compare this to the cost of implementing a comprehensive security solution! Source: 2003 Australian Computer Crime and Security Survey
Business Continuity Plans • Business Continuity Plans have been developed for all our strategic sites, Internet Data Centres, and Melbourne and Sydney cable tunnels. • Generic Site recovery Process developed for 410 sites and is generic enough to apply to all sites. • Critical processes and applications used to support the processes have: • Business Continuity Plans • Application Recovery Plans • Infrastructure Recovery Plans
Blackout 2003 Scenario in Australia • All category 1 and 2 sites have Emergency Power Plant • Sites which do not have Emergency Power Plant would run out of battery reserve over a varied period of time • Portable generation equipment would not be viable in this scenario due to demands by other community groups and the likelihood of theft. • Business Continuity Plans applied to protect services • Initiate Serious Incident Mgt Process
Example - Responding to Fires, Floods, etc The Key is Process How it would work - Example • Centralised Serious Incident Mgt Team • Sites in affected area monitored • Situation monitored • Distribution of resources • Appropriate activities commissioned • Centralised, national command and planning activities
Conclusion • Mobile’s Infrastructure Security mgt expands across both Physical and Logical aspects • Corporate strategies to address the growing complexity of security risk in infrastructure • Key to any Security or Emergency mgt – Is its management processes • Focus on the management of Security Risk with prevention as the priority