Upload
securelogy
View
742
Download
1
Tags:
Embed Size (px)
DESCRIPTION
cobit
Citation preview
Managing Information Security Risks
Ken M. Shaurette, CISSP, CISA, CISM, IAMInformation Security Solutions Manager
MPC Security Solutions
TechFestDecember 2003
Agenda• Why Security? • Information Assets• Threats• Vulnerabilities• Dynamic Security Methodology• Risk Management• MPC Security Solutions Delivers
• Legislation and community pressure • Inappropriate use leads to
disciplinary action.• Protecting critical infrastructures.
(InfraGard, DHS)• Liability?• Its simply a good idea!
Why Security?
Regulations Touch Everyone!
Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
Once upon a time….
Then things started to get a little ugly….
Security used to be easy to understand
• Payroll Office….– Lock on door– Lock on file cabinet– Audits
Equal Reasonable Security
• Active Directory, x.500, NDS, Shadow Passwords• VPN, PPTP, Telnet, SSH, IPSEC, Encryption• Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA• PKI, Kerberos, DES, DES3, SHA, CHAP, PAP• Client Server, Mainframe, ASP, Web Services• Thin Client, Thick Client, Skinny Client, Tall Client• Terminal Server, Distance Learning• HTTPS, SSL
Security is now a little more complex
You know more than you think…
• Information Security is about Information• Technology is a piece of the puzzle• You should not have to master technology in
order to manage risk
The “Good” News
• Technology has become easier and easier to implement
– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)
The “Bad” News
• Technology has become easier and easier to implement
– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)
What are we securing against?
• Identity Theft• Privacy issues• Copyright issues• Hijacking of
resources• Liability• Regulations
Information Assets
Which does your organization have?– Records about special programs– Resident’s information– Financial information– Health information– Statistical information
Information Assets
How do you identify value?– Accounting / “book value”– Intrinsic value / Replacement Cost– Formal quantifiable methods
(BCP/DRP)– “Gut feel”
The “Best” News
• There is hope!
Information Assets
• What is worth protecting?– Confidentiality (keeping secrets)– Integrity (tamper-proofing)– Availability (there when you need it)
• Why protect?– Community expectations– Regulatory requirements– Perception– Liability
Information Assets
How do you protect?– “Classification” (secret, top secret,
unclassified)– Policies ( separation of duties,
appropriate use)– “Security Awareness training” – “Common Sense” or “Second
Thought” approach
Information Assets
How much do you spend on protection?– Is it based on the value of the information?– Is it based on the number and likelihood of
threats?– Are vulnerabilities accounted for?– How much is enough protection? – Is Return on Investment (ROI)
Expected or Required?
Threats - Motive• What is the nature of a threat?
– Confidentiality (learning secrets)– Integrity (tampering with data)– Availability (denial of service)
• Who poses a threat to the organization?– Terrorists– Former employees– Unhappy residents– Hackers
Vulnerabilities• Absence or weakness of a safeguard
– Safeguard’s reduce likelihood of expected loss from a threat
– Can be well known, such as an IIS patch– Can be unknown, such as a design error
• Type of vulnerabilities– Technical– Non-technical
Could any of these Occur?• Sexual Harassment or stalking performed
using your Computers?• Email Threats to Residents, Officials,
Politicians?• Community questions about how their tax
money is being used.• Community asks how computer systems
are being wasted?
`
"What Are The Short Falls?”
Perform Gap
Analysis
Dynamic Security Infrastructure
"What Is Our Security Policy?”"Implement!"
"How Do We Get There?"
"Experience Feedback"
Compliance
Reporting
Compliance
Reporting
Strategy
Definition
Strategy
Definition
Security
Architecture
Security
Architecture
Deploy
Solutions
Deploy
Solutions
Periodic Re-evaluation
"Where Are We Today?"
"Where Do We Need to Be?"
BaselineCurrentSecurity
BaselineCurrentSecurity
New Risks, LegislationSecurity Requirements
New Risks, LegislationSecurity Requirements
Security Risk Management
• Understand value of information• Understand the threats• Understand vulnerabilities and
corresponding safeguards• Invest wisely in appropriate safeguards
that reduce the impact of threats. • Emergency preparedness
Risk Mitigation• Understand security risk• Understand technology• Accept Risk
– Documentation of risk acceptance is a form of mitigation.
• Defer or transfer risk– Insurance
• Mitigate risk– Technology can mitigate risk
How Can MPC Help?
• Services– Information Security Operational
Planning (ISOP)– Information Security Assessment
Project (SA)– Security Policy Review and Writing– Security Risk Management Program
How Can MPC Help?
• Services– Network Perimeter Security Sweep
(NPSS)– Internal Network Security Sweep (INSS)– Secure Network Operations Center
(RSMC) for monitoring network, (IDS or Firewall)
How Can MPC Help?• Technology
– Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5th Column)
– Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft)
– Filtering & Proxy Tools; (Websense)– Firewalls; (PIX, Cyberguard)
How Can MPC Help?
• Technology– Intrusion Detection/Prevention
(Host and Network)– Application Gateways– IP Video Surveillance– Secure Network Infrastructure Design– Wireless Technology
Thank You!