1. IT Security a CIO Perspective
The 3rd Kuwait Info Security Conference & Exhibition
By
GhassanFarra
Senior Consultant
The Advance Technology Group
2. IT Security Architecture
Business Strategies driving the business
Management and Operational Policies
Hardening, HIPS
Secure encryption, authentication technologies
Security practices in development, Penetration Tests
Firewalls, NIPS
Operational Procedures,
Audits, Log Analysis, Content Inspection
Business Continuity, Incident Response
5/26/2011
3rd Annual InfoSecurity Conference
2
3. Pitfalls in Security Fortress
5/26/2011
3rd Annual InfoSecurity Conference
3
Unforeseen (harmless!) practices and technologies can bring the
security fortress down to crumble and expose the entire
infrastructure to numerous risks and threats
4. PST Files
Risks
- Majority of the enterprise sensitive documents sits today in
email messages..
- Messages are archived to local PST files which often get lost due
to employee exit or damaged due to size limitation.
- PST Files often elude retention Policy
Mitigation
- Mail Archiving Solution
- Central repository for sharing document
5/26/2011
3rd Kuwait InfoSecurity Conference
4
5. 3rd Party Network Access
Risks
- Allowing 3rd party network access (3G,4G) opens path way to
corporate network
- Infrastructure is exposed to threats
- Theft of Critical information
Mitigation
- Define and establish policy and procedures
- End point or Port control Solution
5/26/2011
3rd Annual InfoSecurity Conference
5
6. Wireless Network
Risks
- Usage of weak encryption algorithms
- Lack of Identification & Authentication of Base
stations
- Un-encrypted communication channel
Mitigation
- Use latest Wireless Encryption protocols
- Enable authentication to access wireless services
- Rogue-Base stations monitoring
5/26/2011
3rd Annual InfoSecurity Conference
6
7. Laptops Theft or Damage
Risks
- Laptops Contains Highly critical data
- Allow easy retrieval of data without any controls implemented
(i.e. Full disk encryption)
Mitigation
- Management Policies / Guidelines
- Full disk encryption and backups
- Awareness on using laptops (in and out of office, public places
etc)
5/26/2011
3rd Annual InfoSecurity Conference
7
8. HR Processes
Risks
- No notification on employee exit or internal transfers
- Access privileges to corporate data
- Access to critical business applications
Mitigation
- Define Corporate Policy
- Establish the process or procedure
5/26/2011
3rd Annual InfoSecurity Conference
8
9. Removable Media
Risks
- Computer infection with malicious code or malware (in-turn
network); i.eStuxnet
- Authorized and un-authorized information Stealing
Mitigation
- End point or Port control (USB, CD-ROM, Serial, Parallel ,etc)
solution
- Encrypt the external media (USB, DVD/CD for critical
information)
- Policy & Guidelines to support and tune the solution
5/26/2011
3rd Annual InfoSecurity Conference
9
10. Clean Desk
Risks
- Access to critical Physical Data
- Unauthorized Access to user accounts and business
applications
Mitigation
Define and establish policy and procedures
11. Security & Information handling Awareness campaign
12. Locking of desktops & Critical applications (automatic
& manual)
5/26/2011
3rd Annual InfoSecurity Conference
10
13. Single Sign on
Risks
- Compromising ones account allows Access to multiple Systems
- All applications are available with user SSO, this leaves pathway
to information leak or privacy violation
Mitigation
- Enforce strong factor authentication
14. IT Asset Management
5/26/2011
3rd Annual InfoSecurity Conference
12
Risks
- No structured process to manage assets
- No policy or procedure to handle end-of-life or disposition
assets
- No data sanitization procedures
- Critical information is available on the disks
Mitigation
- Define and establish Asset Management Process
- Define and Establish Data sanitization procedures