350 likes | 454 Views
January 25 2008 Seminar on Information Security, Compliance and Digital Surveillance. Consultantgurus Your bridge to all things technology and compliance. Your bridge to all things technology and compliance!. The Consultantgurus Philosophy Evangelists for secure computing
E N D
January 25 2008 Seminar on Information Security, Compliance and Digital Surveillance 1200 RT 22 E , SUITE 2000, BRIDGEWATER, NJ 08807 PHONE: 908-203-4678, FAX: 908-292-1181 GURU@CONSULTANTGURUS.COM HTTP://CONSULTANTGURUS.COM
Consultantgurus Your bridge to all things technology and compliance Your bridge to all things technology and compliance!
The Consultantgurus Philosophy • Evangelists for secure computing • Secure the wider base, and the larger players automatically become more secure • Education is the best defense • Security is a process, not an event • Technology changes, security remains a concern at all times • Attackers will stay as long as there is value offered • User will store only that which has value • ..and hence, attackers will always be around Your bridge to all things technology and compliance!
Negatives first • Growing threat landscape • Need for networked access • Increasing complexity in simple technological solutions • Compliance concerns • The carrot and the stick • Growing information needs require increased spend • This spend increases complexity • Adding technology compounds vulnerability Your bridge to all things technology and compliance!
Top 10 cyber security menaces for 2008 The SANS Institute has drawn up its list of looming security dangers facing organizations and their information-technology defenders. 1. increasingly sophisticated Web site attacks that exploit browser vulnerabilities. 2. increasing sophistication and effectiveness in botnets. 3. cyber espionage efforts by well-resourced organizations looking to extract large amounts of data, particularly using targeted phishing. 4. Mobile phone threats, especially against iPhones and android-based phones. 5. insider attacks, initiated by rogue employees, consultants or contractors. Your bridge to all things technology and compliance!
Top 10 cyber security menaces for 2008…continued 6. advanced identity theft from persistent bots. 7. increasingly malicious spyware. 8. Web application security exploits (for cross-site scripting, sql injection). 9. increasingly sophisticated social engineering, including blending phishing with VoiP and event phishing. 10. supply-chain attacks infecting consumer devices (usb thumb drives, gps systems) distributed by trusted organizations. Your bridge to all things technology and compliance!
Wireless networks – and the pervasive environment (O’Reilly – 7 problems with wireless networks) Problem #1: Easy Access Problem #2: "Rogue" Access Points Problem #3: Unauthorized Use of Service Problem #4: Service and Performance Constraints Problem #5: MAC Spoofing and Session Hijacking Problem #6: Traffic Analysis and Eavesdropping Problem #7: Higher Level Attacks Source: http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html Your bridge to all things technology and compliance!
Increasing use of information demands better and yet more secure access The need of the day – Enable universal access without compromising security or integrity of information This is achievable What are we protecting, and what are we providing? Simplify, simplify, simplify Do we need more technology? Have we used all our infrastructure provides? Is obsolescence accounted for? Is virtualization an option? Your bridge to all things technology and compliance!
Security starts with the basics Is the core software security-aware? Does the organization recognize the benefits of security? Security is not witchcraft – and it is not a black art Security enables better productivity by allowing correct results the first time, every time. Has security been applied as a bandage? How do we fix the situation then? Your bridge to all things technology and compliance!
The what and why What am I protecting? Why am I protecting it? The business case How does technology impact the core business? Is learning agility built into the infrastructure? Can the infrastructure adapt to the changing technology landscape? How often is change and redesign necessitated? How often was good technology ignored due to incompatibility issues? What was the business/opportunity lost? Your bridge to all things technology and compliance!
Who needs protection The standalone disconnected setup Will be connected Danger of theft Need support – can come from anywhere globally Start it all right The small network Information stored is the honey attracting the attacker bees Is data secure in all states – at rest, in transit and during use The large infrastructure Complexity causes critical areas to be overlooked Business case sometimes justifies overlooking security Protect by simplifying and ensuring all components and interconnects are secure Your bridge to all things technology and compliance!
Security – cost and benefit Security as a process, not an event Education – the most important component of security Simplify, and minimize pathways to ensure best security The caveman-to-modern-man analogy Benefit is improved productivity Simple systems and components need lesser maintenance The KISS philosophy still works Your bridge to all things technology and compliance!
Compliance Today, compliance is a large driver for security efforts Compliance inherent in a properly secured infrastructure Cost / benefits of compliance The global compliance quandary – e.g. SOX vs. EU Privacy directive The complex compliance landscape Your bridge to all things technology and compliance!
Computer Security Act of 1987 (P.L. 100-235) - http://www.epic.org/crypto/csa/csa.html Federal Information Security Management Act of 2002 (FISMA)(Public Law 107-347, Title III, 116 Stat. 2899, 2946) - http://csrc.nist.gov/policies/FISMA-final.pdf Homeland Security Act of 2002 (Public Law 107-296, 116 Stat. 2135) - http://www.whitehouse.gov/deptofhomeland/bill/hsl-bill.pdf UK Data Protection Act of 1998 - http://www.opsi.gov.uk/ACTS/acts1998/19980029.htm European Union Data Protection Directive (EUDPD) - http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm UK – Computer Misuse Act of 1990 - http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm Your bridge to all things technology and compliance!
EU Data retention rules - http://news.bbc.co.uk/1/hi/world/europe/4527840.stm European Union Data Protection Directive (EUDPD) - http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31995L0046&model=guichett The Family Educational Rights and Privacy Act (FERPA) - (20 U.S.C. § 1232 g; 34 CFR Part 99) - http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html Sarbanes-Oxley Act of 2002 - http://www.sarbanes-oxley.com/section.php?level=1&pub_id=Sarbanes-Oxley Gramm-Leach-Bliley Act - http://www.ftc.gov/privacy/glbact/glbsub1.htm Health Insurance Portability and Accountability Act - http://www.hhs.gov/ocr/hipaa/ Bank Secrecy Act/Anti Money-Laundering Act - http://www.irs.gov/businesses/small/article/0,,id=152532,00.html Your bridge to all things technology and compliance!
USA PATRIOT Act (Public Law 107–56) - http://www.epic.org/privacy/terrorism/hr3162.html Payment Card Industry Data Security Standard (PCI DSS) - https://www.pcisecuritystandards.org/tech/ California Senate Bill 1386 (CA SB 1386) - http://info.sen.ca.gov/pub/05-06/bill/sen/sb_1351-1400/sb_1386_bill_20060330_amended_sen.pdf Basel II: International Convergence of Capital Measurement and Capital Standards: a Revised Framework - http://www.bis.org/publ/bcbs107.htm Personal Information Protection and Electronic Documents Act (PIPEDA) - http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp Securities and Exchanges Commission (SEC) laws and regulations - http://www.sec.gov/about/laws.shtml Your bridge to all things technology and compliance!
Information Overload The Internet presents “too much” information, often without validation Information overload I do not know all of what I know, and I do not know what you know. We are both not necessarily working off the same information cache to arrive at our individual decisions on the same subject. The Internet can be more misleading than the rumor mill. Young minds, though more energetic, are also more susceptible. We have to be able to channel everyone’s energy and creative spirit without leaving them vulnerable to being misled. Your bridge to all things technology and compliance!
The Threat Landscape Hobbyist Phase (1986-2000): Viruses written largely out of curiosity, or for bragging rights Payloads tended to be limited to propagation, destruction, or political/personal messages Criminal/Commercial Phase (Early 2000s-Present): Bots, Backdoors, Password -Stealers, Spyware, Adware Shift from parasitic to static malware; steep growth in malware creation rates The point is stealth and data, and uncontrolled propagation is badfor business Your bridge to all things technology and compliance!
The Threat Landscape – are numbers everything? Quote from my teacher: “Ex pondere et numero veritas” (Latin) – From numbers and measurements – TRUTH But today, celebrity/shock/scandal sells – so media pays “experts” to present numbers in a compliant fashion Absorb without succumbing, and extract relevance Consultantgurus USP – remove hype, reduce cost while improving security and efficiency Your bridge to all things technology and compliance!
Industry Perspective - Increasing Volumes and Complexity of Malware Source – McAfee Labs Your bridge to all things technology and compliance!
Password Stealers (PWS) – a growing threat Source – McAfee Labs Your bridge to all things technology and compliance!
The need for security frameworks The best method to ensure that security is consistent, on target and in tune with organizational expectations is to use a uniform and accepted methodology applied consistently to secure the organization’s information. A well-formulated security framework allows the organization to plan, test, apply and security measures in a repeatable, measurable and auditable fashion. This allows the organization to plan forward without having to worry about compromising existing security or creating new security solutions for new strategies. Your bridge to all things technology and compliance!
The need for policy – growing complexity on the data landscape The below quote from the Commission of European Communities Paper – “Network and Information Security: Proposal for A European Policy Approach” highlights this. “The proposed policy measures with regard to network and information security have to be seen in the context of the existing telecommunications, data protection, and cyber-crime policies. A network and information security policy will provide the missing link in this policy framework. The diagram below shows these three policy areas and illustrates with a few examples how they are interrelated:” Source: http://www.usdoj.gov/criminal/cybercrime/intl/netsec_comm.pdf Your bridge to all things technolgy and compliance!
The components of an security framework • Policy : The security policy defines the organizational stance with respect to the various aspects of information security • Standards: Standards allow the organization to set specific targets for individual security activities, and measure them against a common base. • Risk analysis: This allows the organization to understand the cost of security in light of the business need and requirement, and make a business decision/case for the need for security for each situation. • Procedures: Standardized procedures allow the security team to deploy security solution in accordance with organizational needs rapidly • Metrics: Metrics allow the organization to quantify security solutions and achievements, and compare performance historically. Your bridge to all things technology and compliance!
The components of an security framework…continued • Audit: Audit is the feedback process used by the organization to measure the effectiveness of security • Governance: Traditionally, information technology has been treated as a function within or a component of information technology. However, with the use of information growing to cover of all of an organization’s functions instead of just the technology components, securing the information and ensuring that it stays secure is now an organization-wide responsibility. This requires: • Education of all users in the need for security • Organization-wide awareness of security policies and the need to protect information • Senior management support for the security measures and processes Your bridge to all things technology and compliance!
Popular security frameworks • ISO 27001/17799[1] • COBIT (Control Objectives for Information and related Technology)[2] • NIST (National Institute of Standards and Technology) SP 800-53[3] / SP 800-53A[4] • ITIL (Information Technology Infrastructure Library)[5] • DIACAP (DoD Information Assurance Certification and Accreditation Process)[6] • [1] ISO 27001 - http://www.27001-online.com/secpols.htm • [2] COBIT Executive Summary - http://www.isaca.org/AMTemplate.cfm?Section=Downloads&Template=/ContentManagement/ContentDisplay.cfm&ContentID=34172 • [3] NIST SP800-53 - http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf • [4] NIST SP800-53a - http://csrc.nist.gov/publications/drafts/800-53A/SP-800-53A-tpd-final-sz.pdf • [5] ITIL and Security - http://www.itil-service-management-shop.com/security.htm • [6] DIACAP Guidance - http://iase.disa.mil/ditscap/ditscap-to-diacap.html Your bridge to all things technology and compliance!
Our solutions • Firewalls • Proxy Servers • Intrusion detection/prevention systems • Network and system design/maintenance • Compliance audits • Performance audits • Security audits • Full service IT Your bridge to all things technology and compliance!
Our solutions … continued • Secure remote access • Simplified threat management • Layered security • Policy-driven design • Regulation-compliant infrastructures • Managed services • Business justification is key to all work Your bridge to all things technology and compliance!
Our solutions … continued 2 • Digital surveillance • Video Surveillance • Alarm and monitoring systems and infrastructure • VoIP and Digital Phone systems • Unified communication networks • Media streaming and distribution systems • GPS trackers Your bridge to all things technology and compliance!
Our solutions … continued 3 BCM and DR planning The importance of continuity plans Why disaster recovery? How is it different from continuity plans How does it help? Relation to the larger security landscape Shared BCM/DR might make functional and budgetary sense Your bridge to all things technology and compliance!
Our solutions … continued 4 The CSIRT – Computer Security Incident Response Team Do all organizations need a CSIRT Cost-benefit analysis Shared resources Our CSIRT – shared resource with guaranteed confidentiality Your bridge to all things technology and compliance!
In summary Security is not an event – it is a process. Security is not a password, a firewall or encryption. Security is a way of thinking, a way of processing, a process of correct use. Security helps – if it hampers, it is not security. Education is a necessary component – continuous education is a need. Discipline and adherence to policy are a requirement. Compliance is almost a natural offshoot of a secure structure. Your bridge to all things technology and compliance!
The Consultantgurus solution – reduced cost and improved efficiency Our partners share our philosophy of the simple approach. We make security usable and user-friendly. Our solutions are geared to improve efficiency rather than hamper productivity. We want you to be successful – and help by demystifying security and compliance. Our managed services can take on as much of your infrastructure as you want to off-load. We will take over the obsolescence worries, and you can focus on your productivity. Consultantgurus – your technology partner ! Your bridge to all things technology and compliance!
Questions? Your bridge to all things technology and compliance!
PRESENTING FORTINET – OUR DATA SECURITY PARTNER Your bridge to all things technology and compliance!