410 likes | 692 Views
“Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective” November 17, 2005 . eWorkshop Purpose. To demystify the process of protecting your company’s information. Our presenter will cover. Types of information to protect Types of attackers
E N D
“Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective”November 17, 2005
eWorkshop Purpose To demystify the process of protecting your company’s information
Our presenter will cover • Types of information to protect • Types of attackers • Exposure • Defenses • Examples
This workshop is sponsored by Jones International University www.jiu.edu
Jones International University offers an online MBA in Information Security Management For more information go to www.jiu.edu or call 866.246.0368 to speak with an Admissions Counselor.
This Webcast is hosted by • www.meetingone.com
Maura van der Linden Software Development Engineer in Test Microsoft Corporation
Understanding Information Security Tradeoffs:A Management Perspective Written by:Maura van der Linden (maura@mauravanderlinden.com) Brought to you by: Jones International University MBA with Information Security Management (www.jiu.edu/learnshare) © 2005 Jones International University
Convey a basic understanding of the Information Security Equation and its five variables. Provide an overview of the process of Threat Analysis. Demonstrate the iterative and ongoing nature of Information Security. Illustrate the Threat Analysis and Mitigation process with several real life samples of the tradeoffs made to minimize or remove Information Security threats. Presentation Goals © 2005 Jones International University
Information Security Equation Threat Analyses Threat Mitigation and Re-Evaluation Response and Contingency Planning Security Champions Security Reviews Key Information SecurityConcepts © 2005 Jones International University
Information Collection Storage Replication Intruders / Attackers Sources Motivations Exposure Defenses Responses Information Security EquationVariables © 2005 Jones International University
What do you think are the biggest risks to your company? 1 = Email Viruses 2 = Directed Hacking Attacks 3 = Opportunistic Hacking Attacks 4 = Internal Theft / Misuse Poll Question #1 © 2005 Jones International University
Examples: Internet Orders or Submissions Paper Orders Employee Hiring Paperwork Point-of-Sale Systems Telephone Ordering Systems 3rd Party Data Forwarding Information Aspect 1:Collection © 2005 Jones International University
Business Data Examples: HR Data Emails Intranet Documents Financial Data Payroll Data Intellectual Property Partner/Vendor/ Supplier Data Customer Data Examples: Personal Data (Identifying Information) Credit Card Data Order History Financial Data Medical Data Information Aspect 2:Storage © 2005 Jones International University
Examples: Live Databases Test Databases 3rd Party Forwarding Backups Log Files Printouts Paper Files / Copies Information Aspect 3:Replication © 2005 Jones International University
Internal Source Examples: Current Employees Contracting Companies Vendors / Sub-Contractors External Source Examples: Ex-Employees Protesters / Idealists Professional Hackers Competitors Cyber-Vandals Intruders / Attackers Aspect 1:Sources © 2005 Jones International University
Examples: Data Theft Data Destruction Cyber-Vandalism / Nuisance Coup Counters Intruders / Attackers Aspect 2:Motivations © 2005 Jones International University
Internal Examples: Employees Locations Intranet Contractors External Examples: Internet Partners Vendors / Contractors Customers Exposure © 2005 Jones International University
Examples: Commercial Software Defenses Commercial Hardware Defenses In-House / Custom Defenses Physical Defenses Policy Defenses Defenses © 2005 Jones International University
Examples: Intrusion Detection Plan Data Recovery Plan Data Restoration Web Site Restoration Customer Notification Responses © 2005 Jones International University
How many of you have defenses and a response plan in place already? 1 = Both are in place and updated. 2 = Both are in place but are out of date. 3 = Defenses are in place but no response plan. 4 = No formal plan for either Poll Question #2 © 2005 Jones International University
Examples: How much harm can be done? How easy is it to perform? How well known is it? How hard or expensive will it be to recover? How many customers will it affect? Threat Modeling Aspects © 2005 Jones International University
Example Questions: What is the threat rating (severity)? What mitigations are available? What do those mitigations cost vs. how well they mitigate the threat? Is the convenience worth the risk? How will the mitigation be enforced? Are there additional legal or regulatory issues if the threat is carried out? Threat Analysis & Mitigation Process © 2005 Jones International University
High mitigation = high cost. Mitigation solutions must be custom or customized. Obscurity = security at very low cost. All mitigations are high tech. Hackers are isolated and tend to work alone. Common Misconceptionsof Tradeoffs © 2005 Jones International University
After each mitigation is developed, the threat must be reviewed again. Revisit the threat rating. Identify any other threats that might be affected – beneficially or adversely – by a mitigation designed for another threat. Don’t neglect easily mitigated threats that do not have the highest threat ratings. Take Incremental Steps © 2005 Jones International University
Convenience of multiple places to find the same data vs having to secure every place that data is stored. Ease of referencing plain text data instead of encrypted data vs. the risk that if the data is stolen, it’s easy and ready to use. Ability for any employee to solve problems for customers vs. the risk of all employees having the ability to steal customer data or misuse it. Samples of Common Tradeoffs © 2005 Jones International University
Cost of buying commercial security software for every workstation vs. the risk of even one incident of a virus shutting down the business’ intranet. Employee morale and freedom of being able to open and read any email at work plus the expense of setting up and enforcing email attachment policies vs. risk of virus attack revealing confidential business information. More Samples of Common Tradeoffs © 2005 Jones International University
Situation: A medical supply company keeps customer information in their permanent database and indexes the information by social security number. The database is accessible from the internet so customers can look up their own information. Mitigation: The risk of exposing the customers’ social security numbers along with their associated personal information on an internet-facing database is mitigated by the company switching to a random customer number and removing the social security number from their data storage. Tradeoffs: The convenience of having the social security number as a built-in index is traded for a Customer ID that means the records have to be retrieved by number or email address and password. A mailing had to be done to customers to inform them of why the change was being made and how to now access their information. Sample Situation #1 © 2005 Jones International University
Situation: An online shopping business was allowing their customers to store credit card information, including the three digit code, in order to provide the convenience of not having to enter their credit card information each time they placed an order. Mitigation: The risk of both exposing credit card information in this internet-facing shopping system as well as the risk of a third party being able to charge items to the saved information was too high so the credit card information was removed from the customer database and the users now have to enter the credit card information for each purpose. Tradeoffs: The convenience of having the credit card information already entered and available was traded for the security of not having credit card information vulnerable to theft of misuse. Information on the reason for the change was posted to the shopping checkout page and customer response was quite positive, especially in the wake of a highly publicized credit card information theft. Sample Situation #2 © 2005 Jones International University
Situation: A financial investment company which develops and utilizes in-house software for account maintenance has a test database for use by their contract testers but the test database is actually a copy of the live customer database and contains all the information that exists in the live database. In order to make it easier for the testers, the database administrator password has been set to <blank>. Mitigation: The previously overlooked risk of having live data in an easy to access place was considered too high so an application was written to simulate live transactions and used to build a dummy database for test to use. Because the database now contained NO real data, the administrator password was left as <blank> . Tradeoffs: The perfect replication of live customer data was traded for a very realistic set of dummy data without the risk of data theft. There was an additional benefit because the tool designed to create the test database was able to be used by other parts of the test effort. Sample Situation #3 © 2005 Jones International University
How is your Information Security currently being managed? 1 = One person is in charge of it as a main job function and may or may not have a team working under them. 2 = One person is in charge of it as a secondary or lesser task. 3 = A team of people are in charge of it but are not coordinated by a single individual. 4 = It’s outsourced to another company 5 = It’s not being managed Poll Question #3 © 2005 Jones International University
Centrally responsible for security efforts. Single point of coordination for response plans and materials. Disseminates knowledge and information as changes are made in business practices and policies. Keeps up to date on software patches, vulnerabilities and versions. Presents threat analyses and mitigation plans and proposals to management. Conducts and enforces security review standards and schedules. Role of the Security Champion © 2005 Jones International University
Pro: Considerable knowledge and training that is generally kept up to date. Can be less expensive to use in circumstances where risks are fairly low and are not overly prone to frequent or rapid changes. Can provide a second set of eyes for in-house plans or for vulnerability assessment. Con: May not understand the customer’s business so making an accurate determination of the tradeoff viabilities may be difficult. May be difficult to communicate the full impact of analyses and proposed changes. More difficult to use for ongoing changes or revisions. External Security Consultants © 2005 Jones International University
Businesses change over time. Threats and vulnerabilities change over time. Attack vectors and techniques change over time. Laws and legal precedents change over time. Continuing Efforts are Key © 2005 Jones International University
To access presentation materials Go to www.LearnShare.com Best Practice Events eWorkshops “Information Security For Your Company: It’s Risks, Tradeoffs, and Solutions – A Management Perspective”