Embed Size (px)
DESCRIPTION
Security and data theft is the single most important topic any IT professional should consider when reviewing their own infrastructure. Data is the core... the past, present, and future of any business. Data is finance, your intellectual property (IP), your communications, and the list goes on. Without any single component, the company would not survive. Data IS the business! Make sure you have all of your bases covered.
Citation preview
Security in the Enterprise
Jim SlickPresident and Chief Executive Officer
Presenter
Jim Slick, the President and Chief Executive Officer of Slick Cyber Systems has been in the IT industry, professionally, since 1984. In his career, Jim has built many data centers
ranging in size from single small-business servers to massive 300+ server fully clustered environments with
real-time replication and disaster recovery. Jim’s educational background covers an Electrical Engineering degree as well as a BS degree in Business Administration
and an MBA. He has also graduated from the Disney Institute in Florida, has earned his Microsoft Certified
Systems Engineer status, as well as many other certifications in the industry.
Security and data theft is the single most important topic any IT professional should consider when reviewing their own
infrastructure.
Data is the core... the past, present, and future of any business.
Data is finance, your intellectual property (IP), your communications, and the list goes on. Without any single
component, the company would not survive.
Data IS the business!
Make sure you have all of your bases covered.
Gateway Security
What it is and why you need it…
UTM Appliances
• Unified Threat Management: What is it?– Gateway Anti-Virus– Gateway Anti-Spyware– Gateway Intrusion Detection and Prevention– Gateway Content Filtering– State full Inspection Firewall– VPN (Virtual Private Networking)
Security Statistics• Crimeware or APT? Malware’s “Fifty Shades of Grey”
– Some cybercriminals build massive botnets to use unsuspecting endpoints for SPAM, distributed denial-of-service (DDoS) attacks, or large-scale click fraud. With the aid of banking Trojans, other cybercriminals create smaller, specialized botnets that focus on stealing bank credentials and credit card information.
– Remote access tools, or RATs, are an integral part of the cybercrime toolbox. For example, a recent FireEye investigation into XtremeRAT revealed that it had been propagated by SPAM campaigns that typically distribute Zeus variants and other banking-focused malware. This tactic may stem in part from the realization that compromising retailers can net millions of credit card numbers in one fell swoop.
– APT (Advanced Persistent Threat) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and or nations for business or political motives. APT processes require high degree of covertness over a long period of time. As the name implies, APT consists of three major components/processes: advanced, persistent, and threat. The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The persistent process suggests that an external command and control is continuously monitoring and extracting data off a specific target. The threat process indicates human involvement in orchestrating the attack
More Security Statistics• The extent to which such attacks are targeted, and not opportunistic, is unclear.
The attackers could be singling out specific retailers in advance. Or they could be targeting an entire industry, simply capitalizing on opportunities that arise.
• The world of cybercrime features a broad spectrum of bad actors: On one end, highly focused state-sponsored attackers use custom tools and zero-day exploits. On the other end, “commodity” cybercriminals use widely deployed exploit kits that indiscriminately compromise thousands of systems around the globe.
• In the middle are (at least) “fifty shades of grey.” One class of attacker mixes publicly available malware platforms and custom tools. These latter cases suggest that it is not always easy to estimate the size or sophistication of an adversary simply by finding one piece of what may be a far larger puzzle.
• Bottom line, the puzzle is very complex and very large.
Even More Security Statistics
• Medical Facts:• The Identity Theft Resource Center® recorded 614 breaches on the 2013 ITRC
Breach List, a dramatic increase of 30% over the total number of breaches tracked in 2012. The Healthcare sector accounted for 43.8% of the total breaches on this list, overtaking the business sector at 34.4% for the first time since 2005, when the ITRC first began tracking data breaches. This comes as no surprise to the ITRC, with more and more breaches being reported to the Department of Health and Human Services (HHS). Additionally, due to the mandatory reporting requirement for healthcare industry breaches affecting 500 or more individuals, 87% of these healthcare breaches publicly stated the number of records exposed. The fact that a sector with a large percentage of breaches, with most entities publicly reporting the number of records, stands out significantly when compared to the 40.1% of incidents in 2013 in which the number of records exposed is unknown!
• Don’t think it won’t happen to you. These statistics are real. Chances are one of you have already had a brush with it.
Average number of U.S. identity fraud victims annually 11,571,900Percent of U.S. households that reported some type of identity fraud 7 %Average financial loss per identity theft incident $4,930Total financial loss attributed to identity theft in 2012 $24.7 billionTotal financial loss attributed to identity theft in 2010 $13.2 billion
E-Mail Security
What it is and why you need it…
E-Mail Security
• Do you host e-mail internally or externally?– Externally?• POP3? Exchange?
– Internally?• Exchange? Other?
• Are YOU protected from SPAM and phishing attacks? If you are using POP3, good luck. If you are using Exchange, we have a solution.
E-Mail Security
• If you host externally, there are outsourced scanning options available.
• If you host internally, there are both outsourced and in-sourced options. Both are good. Think security first and what is YOUR exposed risk.
E-Mail Security• SPAM: Also known as junk mail. Most of these are harmless.
Interesting statistic: 98.7% of all e-mail is SPAM. How’s that for clogging your internet connection or mail server (and how about backup costs for that junk)!
• Phishing: These are the nasty folks who are actively trying to steal your user names, passwords, SS numbers, etc. They succeed all too frequently. Look for improper diction and mis-spellings or domain names that just don’t ‘look right’.
• Virus Activity: Joke messages. Most are just jokes, some are not. Once it hits your server (especially if it’s polymorphic or a worm), you’re about done without the proper protection.
• When it doubt, delete it without opening it. If you think it may be real, call the sender and verify its authenticity.
E-mail Security
• What should I use?– Gateway: Install an e-mail appliance that will do the
initial scan of mail or use an external scanning product like our Intel SCS EagleWing Ultimate Defense. Most is stopped here.
– E-Mail Server (Exchange): Microsoft Forefront or Gfi’s Mail Security. It will stop infected messages that happen to make it in and will definitely stop worms.
– User Education: This is the most important … Educate your users on what SPAM and phishing looks like!
Server Security
What it is and why you need it…
Server based antivirus and anti-malware protection
• Server based antivirus and anti-malware protection– IF I have anti-virus on the gateway, why do I need this too?
• No one device or software package is perfect. It adds the final level of protection your servers and clients require. What if they bring in an infected file themselves from a pen drive or CD and drop it right on your network drive? It’s the only line of defense then.
• Messaging level antivirus and anti-malware protection– If I have an e-mail security device, why do I need this?
• As mentioned before, not everything is perfect. It adds that extra protection. If you have a company white listed on your external appliance you are now relying on them to be 100% secure … do you really trust anyone that much?
Server Security
• Is antivirus software all I need?– No. You should also have anti-spyware software
as well. Some packages do both, that doesn’t mean they are that good. Be careful and know your options.
Hosted Systems Security
• How do I protect a hosted solution?– You can’t. You, unfortunately, need to rely on the
hosted solutions providers ability to control security. Most EHR/EMR systems are hosted.
– Be careful when selecting a vendor … know your vendor and your options if a breach occurs!
– Make sure you have your gateway and desktops secured.
– Educate your users!!
Desktop Security
What it is and why you need it…
• Desktop based antivirus and anti-malware– Why do I need these too? • This is the last level of physical defense. Why would
you go this far and not protect the very machines the users are working on?!?
– Will it protect me from phishing sites?• No. Phishing sites aren’t local to your network. Users
are lured into the trap. The firewall thinks the user knows what they are doing and allows the traffic to pass. User gives passwords … end of story.
• Browser Choices:– IE, Firefox, Opera, Google Chrome? What to use?
• I am a firm believer that IE is just fine.• Firefox is still the number one hacked browser. They
need to play ‘catch-up’ with their security.• Chrome is okay, but lacks the level of support that
Microsoft has.• Everything else is a joke … stay away!
– Is IE really as bad as ‘they’ say?• No, it is the most patched and watched browser available. It comes
with your OS making it less work (i.e., IT $$). • Like anything in IT ... keep it patched!!!
• Operating System Choices– Windows 8, Windows 7, Windows Vista, or Windows XP: Which is more secure and
should you upgrade?• XP
– Windows XP is now retired and no longer support. It’s was the 2nd most hacked OS in the history of Windows (95 was the most).
• Vista– Very stable. More difficult to hack than XP or other OS’s.– Had a bad ‘rap’, but was more robust than XP.
• Windows 7– Very stable. More difficult to hack than XP or other OS’s.– Still the most used OS in business
• Windows 8– Is all of the hype worth it?
» Yes. It’s networking subsystem alone is tuned so well (for performance) that your network traffic will be reduced by 18+% and you will notice a significant performance gain in accessing network shares and apps.
» It is extremely secure.» Get the right resources to help you deploy. It is NOT XP!
– Mac’s? Do you really think they are impervious to virus activity and hacking?• It’s the hackers new frontier. Being a subset of Linux, it’s a very ‘hackable’ platform.
98% of all hacking software is developed on Linux.• The SUN story. 1992 … the keystroke hack that took UNIX by storm.
Server OS Choices
• Still running 2000 Server? You are really pushing your luck. Upgrade now.
• Windows 2003: Good server OS. Stable, secure. Will be obsolete next year.
• Windows 2008: Even better. More stable. More secure.
• Server 2012: The most secure server platform to date (based on Windows 8 code). Why would you not want to run it? Applications will decide. Push your vendors to certify their code on 2012 now!
Remote Users
How do we keep our remote users safe?
Remote Users – What do they do?
• Notebooks– Remote Access / VPN– Tons of wireless connectivity, especially in public
places like airports, coffee shops, and hotels.• SmartPhones & Tablets– Remote e-mail– iPhone/Droid/Windows
Remote Users
• How do we protect them?– Start with a good set of policies and procedures
• Restrict certain types of public access• Restrict certain web sites
– Local Antivirus and anti-spyware• Make sure you have a policy to keep it up to date.
– Don’t allow data storage on the local drive• Make them connect to VPN to store their files on a file
server. This protects the company from data loss as well as data theft.
– Force all updates (Microsoft, AV, etc) daily
BYODThe greatest threat posed to IT in years.
• What is BYOD? • Bring Your Own Device (tablet, phone, etc)• Why is it unsafe?• You have no idea what that person does at night!
• Have a policy … better yet, don’t allow it!!
Disaster Recovery/Business Continuity and Backup
What if … a question that should be asked…
Why do I need a DR plan?• Do you have a plan?• If so, is it just IT (Disaster Recovery) or the entire business (Business
Continuity)?• Don’t have one?
– Who should be working on it?– What else would I need other than my computer data?
• Paper: Sometimes you need it…
• Have you considered an offsite backup solution?– Don’t be fooled by ‘cheap’ solutions. You get what you pay for.
• Real-time replication may be a better fit depending on data criticality.• At least get your data off site … daily!• What about DR centers? What do they have to offer?• Have you tested your plan?
– Tests should be conducted at least once a year
Social Engineering
How well do you know your employees?
What is Social Engineering Anyway?
• Colleagues / employees / friends sharing passwords
• Screens not being locked when walking away• Access to the building … posing as an
employee when you are not. • Training for all employees .. especially
executives!– Test your employees … see if your training has
paid off.
Security Policies
Why is this important?
Policies … how will that help?• Data retention
– If you have a data retention policy and you get sued, you are only responsible for whatever your policy states. If you do not have one, the prosecutors can put a freeze on your servers (not allow access) and you are responsible for every piece of data and e-mail that you have on your systems. They will search everything. Remember, users will keep everything given the chance.
• Security– Have policies that state clearly what corporate software is to be used and how it is to be
updated.– Don’t let your programming staff tell you that OS patches cannot be installed. This is a pile
of rubbish in most instances. It becomes an excuse for not keeping their code up to date.• Internet usage
– Keep your employees from the ‘bad’ sites and avoid HR issues by clearly telling them what they can and cannot do.
– Install monitoring tools if necessary. – Content management … your friend and your enemy.
• Train your employees when they are hired, not six months later!
Hire Professionals when you need them
•Outsourced IT consulting and service •Get it right from design to implementation.• Just because your in-house person can
reformat a PC doesn’t mean they know how to install a server (let alone a security device!)• This is a critical problem that most
companies fail on. Let experts do what they are trained to do. You’ll get it right the first time and save money doing it!
Outsourcing part or all of your IT
• If you have never considered this?– Most companies that do this realize savings of up
to 50% in the first year alone. – Upfront costs mean nothing. Look at the big
picture. • Design and install are right the first time.• Zero unplanned down time.• Pay as you need and get an expert every time.
Summary
• Do you buy car insurance?• Do you buy health insurance?• Do you buy life insurance?• Do you buy business insurance?• Why would you risk your data … your
Company … your Patients’ … to not have the proper IT expertise, equipment, policies, and procedures in place. Do IT right!
Thank You!!!
