1 / 17

Is Your Company Security Aware?

Is Your Company Security Aware?. Presented By: Brian Picard GSEC. Personal Background. Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified

hosea
Download Presentation

Is Your Company Security Aware?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Is Your Company Security Aware? Presented By: Brian Picard GSEC

  2. Personal Background • Progressive Insurance – Security Architect • 10 Long Years ( 6 years in Identity/Security ) • GIAC – GSEC Certified • Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture ) • Private Consulting – Anything Technical • 9 Year ( 4 years in Identity/Security ) • Network Development • Server Implementations • Custom Development • Security Consultations and Instruction

  3. Overview • Security Awareness Program • Security Effort Statements • Sample Security Awareness Efforts • Social Engineering • Public Information Gathering • Development Challenges • Physical Security Awareness • Adjacent Risks • Other Samples

  4. Security Awareness Program WARNING This should not be done as a group activity WARNING • Definition: This describes where your company’s security awareness is focused and a rough outline of the scope. • Efforts: This describes what efforts will be made to meet your goals. • Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.

  5. Security Effort Statement WARNING These need to be done as a group activity WARNING • Objective: Goals, Scope (In AND Out), Gaps • TargetAudience: Intended Targets, Depth Of Technical Knowledge • Actions: Mediums of Delivery, Durations, Required/Optional • AdditionalReferences: Other Sources Of Information • Measurements: Verification On Success

  6. Sample Security Efforts(Social Engineering) • Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings. • Target Audience: All Company Employees • Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.

  7. Sample Security Efforts(Social Engineering)<Cont> • Additional Resources: http://en.wikipedia.org/wiki/Pretexting http://www.securityfocus.com/infocus/1527 http://www.sans.org/reading_room/whitepapers/engineering • Measurements: • A company-wide web test administered 6 months after the training is completed. • Random Social Engineering attempts done from outside consultants.

  8. Sample Security Efforts(Public Information Gathering) • Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company. • Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees. • Actions: • A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site. • An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.

  9. Sample Security Efforts(Public Information Gathering)<cont> • Additional Information: • http://businessethics.suite101.com/article.cfm/corporate_intelligence_gathering • Measurements: • Post assessment of Information Gathering game. • Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site

  10. Sample Security Efforts(Development Challenges) • Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation. • Target Audience: Web developers that work on an external facing application. • Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.

  11. Sample Security Efforts(Development Challenges)<cont> • Additional Resources: • http://en.wikipedia.org/wiki/Cross-site_scripting • http://www.cgisecurity.com/articles/xss-faq.shtml • http://en.wikipedia.org/wiki/SQL_injection • http://www.unixwiz.net/techtips/sql-injection.html • Measurements: • The completion of the required challenges within a designated time frame. • The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round. • Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.

  12. Sample Security Efforts(Physical Security Awareness) • Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building. • Target Audience: All employees with badges. • Actions: • An online bulletin explaining the problems and statistics around un-authorized individuals. • Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.

  13. Sample Security Efforts(Physical Security Awareness)<cont> • Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter. • Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe. • Measurements: • Trending on the number of un-authorized people in the buildings. • Trending on the number of card swipes per day.

  14. Sample Security Efforts(Adjacent Risks) • Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats. • Target Audience: Any employee that work on external data transactions. • Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions. • Measurements: A post assessment of the content covered in the WBT.

  15. Sample Security Efforts(Other Samples) • Security Informational Sessions • Security Posters • Security Bulletins • Data Classification Awareness • Phishing • Source Code Management

  16. Final Thoughts • Publish Your Security Awareness Statement • Trust but Verify Completion of Efforts

  17. Recap And Personal Contact Information • Recap • Contact Info: • Brian_Picard@Progressive.com

More Related