220 likes | 235 Views
This presentation explores the shift from traditional security to a more proactive approach focused on building immunity against cyber threats. It discusses the need for security, the cost of security overheads, and the concept of immunity. The presentation also delves into the steps involved in achieving immunity, such as requirement gathering and analysis, designing secure solutions, coding and reviews, testing, documentation/user guides, deployment, and maintenance.
E N D
Immune ITMoving from Security to Immunity... -Ajit Hatti ClubHack2008 Presentation
Contents - I • Security : What is it? • Security : Why we need it? • Security : How we see it? • Security : What does it cost? • Security : Do we own it? • Security : How much is adequate?
Contents II • Immunity : What is it? • Immunity : How much does it cost? • Immunity : Who is responsible? • Immunity : How to get it?
Contents III • Requirement Gathering & Analysis • Designing a Solution • Coding & Reviews • Testing • Documentation/User Guide • Deployment • Maintenance
Security : What does it cost? An average annual Security Overheads incurred at prime organizations • Expense incurred on security system - 20% • Computational resources engaged in security operations - 15% • Each person spending time on securing personal assets - 21% • Latency introduced due to security operations per connection - 2 sec / MB. • Data transfer only for security updates - 17 % And these figures are bound to increase. (http://www.itbusinessedge.com/blogs/top/?p=207)
Immunity: How to achieve it? • Embedding Security in each and every steps of our engineering process. • Practice Security; integrate it in all operations. • Greater awareness.
Requirement Gathering & Analysis Implicit Security Considerations Explicit Security Considerations
Designing a Solution • Confidentiality • Enforcing access privileges. • Encryption & Leakage prevention. • Integrity • Defining the limits • Backup and Recovery • Availability • Business Continuity Plan. • Troubleshooting & Failure recovery support
Coding and Reviews • Code Should be : • Less • Clear • Secure • Review for : • Validations • Possible memory corruptions • Initializations
Testing • Sanity Checks • Challenging Access control • Fuzzing • Vulnerability and Pen-Testing • Dog fooding
Documentation/User Guides • Enforcing access control & encryption. • Changing the default configurations, settings and passwords. • Methods of backup and recovery etc. • Advisory on best practices, do’s and don’ts. • Known issues and workarounds.
Deployment & Maintanance • Deploy the solutions with feasibly best & secure configuration. • Follow best practices. • Apply security updates, patches provided by vendors. • Conduct security audits for the system
Conclusion • Security is defined by CIA. • Addressing CIA at each phases of engineering results in Immunity. • Security must be integrated in our thoughts, process and operations. • Immunity comes through ownership of security.