Contenu connexe Similaire à Security on a budget (20) Plus de nCircle - a Tripwire Company (8) Security on a budget 1. Security on a Budget
Michael McKay, CISSP, CISA
Senior Security Engineer
© nCircle 2012. All rights reserved.
2. Overview
• Target audience
• Are you at risk?
• How to begin
• Get some quick wins
• Your roadmap: the 20 Critical Controls
• Developing your action plan
2 © nCircle 2012 All rights reserved. nCircle Company Confidential
3. Poll Question
How many live IPs do you have on your
network?
1- 10
11 - 50
51 – 100
More than 100
3 © nCircle 2012 All rights reserved. nCircle Company Confidential
4. Target Audience—does this sound like you?
• Small to medium-sized business, schools and government
• Up to 500 employees
• IT wears many hats
• Often don’t have a dedicated Information Security department
or person
• Primary security tools are firewalls and antivirus
• Limited budget for security
• Management often doesn’t see security as
a necessary investment (why would
they go after us?)
4 © nCircle 2012 All rights reserved. nCircle Company Confidential
5. Poll Question
In your opinion, does your company understand the risk of
cyber attack?
Yes
No
5 © nCircle 2012 All rights reserved. nCircle Company Confidential
6. Are you at risk?
• Perception: According to a recent survey
conducted by Visa and the National Cyber Security
Alliance, more than 85% of small business owners
believe their companies are less of a target for
cybercrime than large companies.
• Reality: Hackers and computer criminals are aiming
directly at small and midsize businesses. Smaller
businesses offer a much more attractive target than
larger enterprises that have steeled themselves with
years of security spending and compliance efforts.
6 © nCircle 2012 All rights reserved. nCircle Company Confidential
7. Small and Mid-size Business is the “sweet spot”
• % of SMBs lacking basic defenses against cybercrime:
Web filtering 52%
Threat training 39%
Anti-spam 29%
Anti-spyware 22%
Firewall 16%
Source: Panda Security online survey of 1,400 small and midsize U.S. business
7 © nCircle 2012 All rights reserved. nCircle Company Confidential
8. More Statistics (and you don’t want to be one)
• 79% of victims were targets of opportunity
• 96% of attacks were not highly difficult
• 94% of all data compromised involved servers
• 85% of breaches took weeks or more to discover
• 92% of incidents were discovered by a third party
• 97% of breaches were avoidable through simple or intermediate controls
• 96% of victims subject to PCI DSS had not achieved compliance
8 © nCircle 2012 All rights reserved. nCircle Company Confidential
9. Poll Question
Does your company need to be PCI Compliant?
Yes
No
9 © nCircle 2012 All rights reserved. nCircle Company Confidential
10. Are you at risk?
• Cyberthieves funneled $217K from a convention center in Omaha
– Phishy e-mail installed malware that provided access to payroll system
and phony employees were added to the payroll
– ―Mules‖ collected payroll and remitted the funds to the hackers
– Prior to the heist, the center refused many of the security options
offered by its bank including a requirement that two employees sign off
on every transfer.
– ―We had declined some of the security measures offered to us, [but if]
we had those in place this wouldn’t have happened to us,‖ ―We thought
that would be administratively burdensome, and I was more worried
about internal stuff, not somebody hacking into our systems.‖
10 © nCircle 2012 All rights reserved. nCircle Company Confidential
11. Are you at risk?
• $497K stolen from school district in upstate New York
– Initial attempt was for $3.8M, but was stopped by the bank
– Thieves used malware to gain access to online bank accounts
– Loss represents more than 3% of their annual budget of $15M
• Cybercrime cost magazine store in Chicago $22,000
– Malware on their POS systems sent customer credit card numbers to
Russia where they were used fraudulently.
– The source of the leak was traced to the store.
– The store had to pay $22K for the forensic investigation required by
MasterCard.
– The malware was present for over a year
before it was discovered.
11 © nCircle 2012 All rights reserved. nCircle Company Confidential
12. How to begin protecting yourself
• Believe in the risk—it’s very real
• Convince management of the urgency
• Start with some quick wins—really easy!
• Great resources: SANS, CIS, NIST, vendors
• Consensus Audit Guidelines (The 20 Critical Controls)
• PCI Data Security Standard (Essential if you accept credit cards)
• It’s a journey, find companions to help you
12 © nCircle 2012 All rights reserved. nCircle Company Confidential
13. Survey says: The Top Network Vulnerability is …
Blank or default passwords
nCircle PureCloud benchmark statistics in April showed that eight of the
top 10 highest risk vulnerabilities detected on small business networks are
related to blank or default passwords.
A good password security policy combined with regular vulnerability scans
dramatically reduces your risk.
13 © nCircle 2012 All rights reserved. nCircle Company Confidential
14. Some quick wins
Change your passwords, now, on everything! Make them strong. Never share
them, especially privileged ones. (free)
Control remote access services with firewall (free or $)
Use OpenDNS (free or $) to block access to known bad sites
Create your Security Policy: SANS (free), InstantSecurityPolicy.com ($)
Educate users, managers: SANS Securing the Human ($)
Get your roadmap: SANS 20 Critical Controls (free)
14 © nCircle 2012 All rights reserved. nCircle Company Confidential
15. What are these 20 Critical Controls?
• A prioritized baseline of information security measures and controls
that can be continuously monitored through automated mechanisms
• Developed by a collaboration of leading security experts and CISOs inside
and outside of the government with extensive experience in incident
response, penetration testing, and computer forensics
• Designed with specific attack scenarios in mind, each Control begins with
"How do attackers exploit the lack of this control?“
15 © nCircle 2012 All rights reserved. nCircle Company Confidential
16. 20 Critical Controls Guiding Principles
Defenses should focus on addressing the most common and damaging
attacks occurring today and those anticipated in the near future.
Defenses should be automated where possible.
The Controls should provide specific prioritized guidance for how to
minimize the risks.
16 © nCircle 2012 All rights reserved. nCircle Company Confidential
18. 18 © nCircle 2012 All rights reserved. nCircle Company Confidential
19. 1. Inventory of Authorized and Unauthorized Devices
Attackers continuously search for new, unpatched systems that can be
automatically exploited. You need to know what’s on your network so you
can manage what should be there and detect unauthorized devices.
• Spiceworks (free)
• nmap (free)
• Nessus (free or $)
• nCircle PureCloud ($)
• nCircle IP360 ($)
• nCircle CCM ($)
– Standardize naming conventions (free)
– Maintain an asset inventory with network address,
machine name, purpose, asset owner,
department (free)
19 © nCircle 2012 All rights reserved. nCircle Company Confidential
20. 2. Inventory of Authorized and Unauthorized Software
Unauthorized software is a common source of malware. Authorized
software needs to be updated regularly to remediate known vulnerabilities.
– Spiceworks (free)
– Kaspersky Antivirus ($)
– nCircle PureCloud ($)
– nCircle IP360 ($)
– nCircle CCM ($)
– Secunia PSI (free) and CSI ($)
20 © nCircle 2012 All rights reserved. nCircle Company Confidential
21. 3. Secure Configurations for H/W and S/W on
servers and workstations
Building and maintaining your systems to highly-secure ―best practice‖
standards greatly reduces the attack surface and makes it more difficult for
exploits to spread to other systems. Standard system configurations are
also easier and cheaper to maintain.
– CIS Benchmarks (free)
– Microsoft MBSA (free)
– Microsoft security policy templates (free)
– nCircle Configuration Compliance Manager ($)
– Secunia PSI (free) and CSI ($)
– NIST 800-53 (free)
– Vendor security hardening guidelines (free)
21 © nCircle 2012 All rights reserved. nCircle Company Confidential
22. 10. Continuous Vulnerability Assessment and
Remediation
New vulnerabilities are discovered every day. You need to continually
monitor your network for these vulnerabilities and patch them as quickly as
possible. Automated vulnerability scanning tools like nCircle PureCloud
can collect a hardware and software inventory in the process, addressing
Controls 1 and 2 at the same time.
– Microsoft WSUS (free)
– Secunia PSI (free), CSI ($)
– nCircle PureCloud ($)
– nCircle IP360 ($)
– Nessus (free or $)
22 © nCircle 2012 All rights reserved. nCircle Company Confidential
23. Control Zero—the most essential one
• Executive Management Support and Commitment to
Security
• You can’t succeed without this!
23 © nCircle 2012 All rights reserved. nCircle Company Confidential
24. Your Action Plan
– Engage senior management (CIO, CEO, CFO)
– Compare your current state to the recommendations of the Critical
Controls
– Create your security policy
– Educate your users about the security policy and the dangers they need
to be aware of
– Implement some ―quick win‖ Critical Controls within 60 days
– Identify additional Controls to be implemented in the next 60 days
– Insure that the Controls are integrated into your
routine IT processes
– Keep improving!
24 © nCircle 2012 All rights reserved. nCircle Company Confidential
25. Poll Question
Which security resources and news sites do you visit
regularly? (select all that apply if this is possible)
ISSA – Attend local meetings
InfraGuard – Talk to the FBI about security
SANS NewsBites
Dark Reading
Krebs on Security
Securosis
None of the above
25 © nCircle 2012 All rights reserved. nCircle Company Confidential
26. Make some friends and know what’s happening
• ISSA – Attend local meetings to learn and network (www.issa.org)
• InfraGuard – Meet and talk to the FBI about security (www.infraguard.net)
• SANS – Everything security, including the Critical Controls (www.sans.org)
– SANS NewsBites – just what it says (sans.org/newsletters/newsbites/)
• Dark Reading– security news and research (www.darkreading.com)
• Krebs on Security – cyber crime news (krebsonsecurity.com)
• Securosis – security research and advisories (securosis.com)
• NIST Special Publications (csrc.nist.gov/publications/PubsSPs.html)
• PCI Data Security Standard
(pcisecuritystandards.org/security_standards/)
26 © nCircle 2012 All rights reserved. nCircle Company Confidential
27. nCircle Solutions for the 20 Critical Controls
27 © nCircle 2012 All rights reserved. nCircle Company Confidential
28. Questions?
28 © nCircle 2012 All rights reserved. nCircle Company Confidential
29. 29 © nCircle 2012 All rights reserved. nCircle Company Confidential