SlideShare une entreprise Scribd logo

IT Security Management -- People, Procedures and Tools

Télécharger en tant que PPTX, PDF
A
Andrew S. Baker (ASB)
1  sur  34
IT Security Management: People, Procedures and Tools Managing systems and information security can be daunting for NGOs with a global presence and limited resources. Looking at the issue through the lens of people, procedures and tools, this session will discuss approaches for ensuring IT security to minimize risk to your organization. Andrew S. Baker, President of BrainWave Consulting Company, LLC
Page 2© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Outline some key premises about Information Security • Provide suggestions for dealing with today’s challenges, especially in a global setting • Understanding the importance of communication to effective Information Security • Look for low-cost ways to obtain security information and resources Today’s Goals
Page 3© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. There is NO SuchThing as a FREE Lunch
Page 4© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Information Security is a lifestyle, not an event • It’s about managing – not eliminating – risk • It’s all about People, Processes and Tools/Technology • It must be intrinsic to operations, not bolted on • Complexity is the enemy of good security • It’s not easy, but it needs to look easy • How you spend is more important than How Much you spend BasicTenets of Information Security
Page 5© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Good information security must be made intrinsic to business operations • Security is a journey, not a destination • Security is a moving target • Security is the management of threats, risks and mitigations • Consistency is the best friend of good security • Complexity is the worst enemy of good security Security is a Lifestyle, not an Event
Page 6© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • The right people can overcome deficiencies in your policies, processes and technology • The wrong people will likely undermine even the very best policies, processes and technology • Trust is the most important characteristic in the people supporting your security. Trust, but Verify • Hire people because they align with your goals and understand the technology – not because they are good at catching bad guys All About People
Page 7© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • They must be relevant to the risks of your environment • You need just enough processes to get the job done; Documentation must be one of those processes • They should be simple enough to explain and monitor, yet robust enough for your needs • They must be regularly evaluated for suitability, effectiveness and adherence • Security has to be intrinsic to your operations, and consistently applied All About Processes & Procedures
Page 8© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Make sure your tools only implement your security, not define it • Encryption, Encryption, Key Management & Encryption • Less tools is better than more tools (CiTEoGS) • Tool priority: • Detection • Prevention • Monitoring • Reporting • Storage, storage, storage All AboutTools &Technology
Page 9© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Most security issues stem from configuration problems or errors • The more complex your configuration: • the more likely you’ll have security-impacting errors • the more likely you’ll have insecure components installed • the longer it will take to notice a potential intruder • the more money/time you will spend to support it • Simplicity has many advantages, including cost, training time and visibility. Complexity is the enemy of good security
Page 10© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Eliminating all risk is not only costly – it’s impossible • Determine what risks you can accept and what risks you can transfer, reduce, or avoid – then prioritize your resources accordingly • Risk management begins with a valid inventory of personnel, equipment and data Risk management, not Risk elimination
Page 11© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • More money doesn't automatically mean better security • Spending in the wrong place is worse than not spending at all. • There are some things you can build and some you can buy. • You can spend on people or technology or both Relationship of Spending to Security
Page 12© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Option 1: Hire the brightest people and build everything • Option 2: Hire decent people, and buy the right technology solutions • Option 3: Figure out how to divide your meager budget between good enough people and good enough technology solutions Security Spending: Build vs Buy
Page 13© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Ensure that everyone is subject to the same minimum security level • Security Awareness Training • Treat Information Security as more than a computer or technology issue • Don’t take any abnormal computing activity for granted Cover the Basics – Policy & Procedures
Page 14© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Patch Management • End-point protection (Antivirus, Antimalware) • Use password managers and strong passwords • Segregate your computing activity (secure vs non-secure) • Make time to review logs Cover the Basics –Tactical & Operational
Page 15© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Consolidate Your Tools #2: Encourage a Culture of Security #3: Keep Projects Small #4: Use Native Features #5: Access Security Communities #6: Focus on Insurance vs Investment Things to Do – Policy & Methodology
Page 16© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Defense in Depth is still important, but don’t have too many tools doing the same things • Integrated security hardware is preferable to completely separate hardware for each function #1: ConsolidateYourTools
Page 17© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Reward employees that maintain high security • Don’t limit security to technology related areas. • Keeping desks clear • Managing confidential documents • Escorting visitors • Not picking up stray thumb drives • Keep workstations locked • Don’t discuss sensitive information in open spaces #2: Encourage a Culture of Security
Page 18© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Regardless of staffing size, small discrete projects are more successfully implemented than massive, overarching projects • Projects that take more than 2-3 weeks for fully implement are likely to be partially deployed or get postponed repeatedly #3: Keep Projects Small
Page 19© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • As much as possible, take advantage of the software that you’ve already paid for • Advantages of using native software include: • Compatibility with more hardware and software • More controllable updates (generally) • Broader support potential from vendors and staff #4: Use Native Features
Page 20© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • There are a wide variety of mailing lists, forums and social media communities that focus on current security information: • http://seclists.org/ • http://secunia.com/community/advisories/ • http://myitforum.com/myitforumwp/community/groups/ • http://www.us-cert.gov/mailing-lists-and-feeds • Different countries will have a CERT team as well (Computer Emergency Response Team) #5: Access Security Communities
Page 21© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Don’t get hung up on trying to provide ROI for security initiatives • Information Security is an insurance policy to keep the business operational; it’s a revenue protection mechanism • True, there are investment aspects to information security as well, but the focus must be on preventing business ending events #6: Focus on Insurance vs Investment
Page 22© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Secure All Network Access #2: Audit all Computing Activities #3: Protect Data at Rest #4: Secure Integration With Other Networks #5: Effective Backup & Restore Options #6: Security Education Things to Do –Tactical
Page 23© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Avoid clear text protocols, especially when it comes to administrative access -- User access = HTTPS -- Admin access = HTTPS / SSH Support strong and flexible password policies Support comprehensive role based usage and administration Use certificates, not only to ensure secure transmission, but to validate the clients side of the connection SSL/TLS and SSH are some of the technologies that should be employed for ensuring secure access #1: Secure Access
Page 24© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. It’s not just enough to have secure access. It’s important that the access be auditable. Keep track of users and user activity You need to be able to track who accessed what, from where, and at what time. Keep details of administrative activity and provide robust reporting #2: Audited Access
Page 25© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Encrypting data in motion is well accepted today. Encrypting data at rest is still a little iffy today. In the event that you are breached or suspect a breach, the statements that you are able to make about the encryption of the targeted data will be greatly affected by their encryption status #3: Data at Rest
Page 26© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Remember that your “perimeter” extends into all other networks that you choose to connect to your own. This includes cloud computing vendors, mobile providers, outsourcers, business partners, etc. You must ensure that you do not undermine the security of your application through insecure integration with other platforms (i.e. mobile) or other providers. #4: Secure Integration with Others
Page 27© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Disaster Recovery and Business Continuity are often considered when it is too late. Good security is not just about “protection,” but about availability and data integrity. Consider all the ways that your data could become inaccessible, and make some allowance for the most likely or most damaging scenarios. And, test, test, test! #5: Effective Backup & Restore Options
Page 28© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Security education need not be elaborate, and it need not be costly Security education just needs to be: • Relevant to the current threats • Relevant to the user roles • Comprehensive (over time) • Actionable • Measurable • Periodic • Rewarding • Personally Applicable #6: Security Education & Awareness
Page 29© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Security in the cloud is an extension of security outside the cloud. #2: Auditing and reporting are some of the most important security needs that vendors take the longest to address. #3: The best security options in a cloud service cannot overcome the worst security practices by a customer (or provider). Tools are just a means of facilitating process. Considerations for the Cloud
Page 30© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #4: There are many legal components of cloud security that are overlooked until very late in the procurement process. Get your legal team involved early. #5: Your data is not automatically more safe on- premise or less safe in the cloud (or vice versa). You *might* have more control over your data on your own premises, but without the processes, tools or staffing to address issues, your data will be at risk. #6: Regular risk assessments are needed to ensure that the right level of security is being applied to your data Considerations for the Cloud (Continued)
Page 31© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Keep things as simple as possible • Start with clear policies and procedures • Use native tools • Use trusted open source tools • Use “Community Edition” tools • Hire the right people • Regularly communicate with employees, management and key partners • Keep abreast of current risks Summary of “DO”s
Page 32© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Don’t lose control of your data • If you use 3rd parties to host or manage your data, encrypt it • Don’t unnecessarily expose or discuss your security mechanisms in detail • There is some security in obscurity • Don’t ignore the security-trained resources that you have access to • Your staff is really trying to help you. If anything, educate them about how to make decisions with limited data • The security of your data is ultimately your problem • Don’t expect to off-load 100% of the security concerns your organization faces to your cloud vendors or other 3rd parties. Your practices are important too. Summary of “DON’T”s
Page 33© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. There is NO SuchThing as a FREE Lunch
Page 34© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Contact Info: Andrew S. Baker www.BrainWaveCC.com ABaker@BrainWaveCC.com http://XeeMe.com/AndrewBaker Question & AnswerTime

Recommandé

Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
John Rapa
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
Withum
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
NSUGSCIS
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
Ben Rothke
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 

Recommandé

Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
John Rapa
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
Infonaligy
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
Withum
 
12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business 12 Simple Cybersecurity Rules For Your Small Business
12 Simple Cybersecurity Rules For Your Small Business
NSUGSCIS
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
Ben Rothke
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
Etienne Liebetrau
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
Trustwave
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Paul C. Van Slyke
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
centralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)
Huntsman Security
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
Evan Francen
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
Thomas Christopher Ty
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
Mike Saunders
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
Ben Rothke
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
NetWize
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
Misha Hanin
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
IBM Security
 
Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
Vijay Dalmia
 
Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
markilyn
 

Contenu connexe

Tendances

Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
Jason Luttrell, CISSP, CISM
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Paul C. Van Slyke
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
centralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
centralohioissa
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
AlienVault
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
centralohioissa
 

Tendances (20)

Aaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & DefenseAaron Higbee - The Humanity of Phishing Attack & Defense
Aaron Higbee - The Humanity of Phishing Attack & Defense
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Security challenges in 2017
Security challenges in 2017Security challenges in 2017
Security challenges in 2017
 
Trustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education CatalogTrustwave Cybersecurity Education Catalog
Trustwave Cybersecurity Education Catalog
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
 
Harry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get WorseHarry Regan - It's Never So Bad That It Can't Get Worse
Harry Regan - It's Never So Bad That It Can't Get Worse
 
Deral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail LaterDeral Heiland - Fail Now So I Don't Fail Later
Deral Heiland - Fail Now So I Don't Fail Later
 
Beware the Firewall My Son: The Workshop
Beware the Firewall My Son: The WorkshopBeware the Firewall My Son: The Workshop
Beware the Firewall My Son: The Workshop
 
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
 
Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider threats - Lessons from Snowden (ISF UK Chapter)
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Ruben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security InitiativesRuben Melendez - Economically Justifying IT Security Initiatives
Ruben Melendez - Economically Justifying IT Security Initiatives
 
Information Security & Manufacturing
Information Security & ManufacturingInformation Security & Manufacturing
Information Security & Manufacturing
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
Info Sec2007 End Point Final
Info Sec2007 End Point FinalInfo Sec2007 End Point Final
Info Sec2007 End Point Final
 
Business-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a DisasterBusiness-Critical Backup: Preparing for a Disaster
Business-Critical Backup: Preparing for a Disaster
 
The 5 ws of Cyber Security
The 5 ws of Cyber SecurityThe 5 ws of Cyber Security
The 5 ws of Cyber Security
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 

En vedette

Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
Ian Strever
 
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
Tripwire
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
Tony Hauxwell
 
Chapter 4 health, safety and security procedures
Chapter 4 health, safety and security proceduresChapter 4 health, safety and security procedures
Chapter 4 health, safety and security procedures
Pat Cabangis
 

En vedette (17)

Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...Reasonable security practices and procedures and sensitive personal data or i...
Reasonable security practices and procedures and sensitive personal data or i...
 
Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
 
Log management
Log managementLog management
Log management
 
Security Procedures
Security ProceduresSecurity Procedures
Security Procedures
 
Review of Information Security Concepts
Review of Information Security ConceptsReview of Information Security Concepts
Review of Information Security Concepts
 
Intrusion Prevention Systems
Intrusion Prevention SystemsIntrusion Prevention Systems
Intrusion Prevention Systems
 
types of personal computer
types of personal computertypes of personal computer
types of personal computer
 
Leveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log ManagementLeveraging Compliance for Security with SIEM and Log Management
Leveraging Compliance for Security with SIEM and Log Management
 
Types of personal computers
Types of personal computersTypes of personal computers
Types of personal computers
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
Reasonable Security Practices And Procedures And Sensitive Personala 24 06 2...
 
Chapter 4 health, safety and security procedures
Chapter 4 health, safety and security proceduresChapter 4 health, safety and security procedures
Chapter 4 health, safety and security procedures
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011 SIEM vs Log Management - Data Security Solutions 2011
SIEM vs Log Management - Data Security Solutions 2011
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 

Similaire à IT Security Management -- People, Procedures and Tools

The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
madunix
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 

Similaire à IT Security Management -- People, Procedures and Tools (20)

Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Jason r mc kinney halfday
Jason r mc kinney halfdayJason r mc kinney halfday
Jason r mc kinney halfday
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROL
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
The Three Major Goals of Cybersecurity for Business Organizations-precise tes...
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Information Security is NOT an IT Issue
Information Security is NOT an IT IssueInformation Security is NOT an IT Issue
Information Security is NOT an IT Issue
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 

IT Security Management -- People, Procedures and Tools

  • 1. IT Security Management: People, Procedures and Tools Managing systems and information security can be daunting for NGOs with a global presence and limited resources. Looking at the issue through the lens of people, procedures and tools, this session will discuss approaches for ensuring IT security to minimize risk to your organization. Andrew S. Baker, President of BrainWave Consulting Company, LLC
  • 2. Page 2© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Outline some key premises about Information Security • Provide suggestions for dealing with today’s challenges, especially in a global setting • Understanding the importance of communication to effective Information Security • Look for low-cost ways to obtain security information and resources Today’s Goals
  • 3. Page 3© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. There is NO SuchThing as a FREE Lunch
  • 4. Page 4© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Information Security is a lifestyle, not an event • It’s about managing – not eliminating – risk • It’s all about People, Processes and Tools/Technology • It must be intrinsic to operations, not bolted on • Complexity is the enemy of good security • It’s not easy, but it needs to look easy • How you spend is more important than How Much you spend BasicTenets of Information Security
  • 5. Page 5© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Good information security must be made intrinsic to business operations • Security is a journey, not a destination • Security is a moving target • Security is the management of threats, risks and mitigations • Consistency is the best friend of good security • Complexity is the worst enemy of good security Security is a Lifestyle, not an Event
  • 6. Page 6© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • The right people can overcome deficiencies in your policies, processes and technology • The wrong people will likely undermine even the very best policies, processes and technology • Trust is the most important characteristic in the people supporting your security. Trust, but Verify • Hire people because they align with your goals and understand the technology – not because they are good at catching bad guys All About People
  • 7. Page 7© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • They must be relevant to the risks of your environment • You need just enough processes to get the job done; Documentation must be one of those processes • They should be simple enough to explain and monitor, yet robust enough for your needs • They must be regularly evaluated for suitability, effectiveness and adherence • Security has to be intrinsic to your operations, and consistently applied All About Processes & Procedures
  • 8. Page 8© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Make sure your tools only implement your security, not define it • Encryption, Encryption, Key Management & Encryption • Less tools is better than more tools (CiTEoGS) • Tool priority: • Detection • Prevention • Monitoring • Reporting • Storage, storage, storage All AboutTools &Technology
  • 9. Page 9© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Most security issues stem from configuration problems or errors • The more complex your configuration: • the more likely you’ll have security-impacting errors • the more likely you’ll have insecure components installed • the longer it will take to notice a potential intruder • the more money/time you will spend to support it • Simplicity has many advantages, including cost, training time and visibility. Complexity is the enemy of good security
  • 10. Page 10© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Eliminating all risk is not only costly – it’s impossible • Determine what risks you can accept and what risks you can transfer, reduce, or avoid – then prioritize your resources accordingly • Risk management begins with a valid inventory of personnel, equipment and data Risk management, not Risk elimination
  • 11. Page 11© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • More money doesn't automatically mean better security • Spending in the wrong place is worse than not spending at all. • There are some things you can build and some you can buy. • You can spend on people or technology or both Relationship of Spending to Security
  • 12. Page 12© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Option 1: Hire the brightest people and build everything • Option 2: Hire decent people, and buy the right technology solutions • Option 3: Figure out how to divide your meager budget between good enough people and good enough technology solutions Security Spending: Build vs Buy
  • 13. Page 13© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Ensure that everyone is subject to the same minimum security level • Security Awareness Training • Treat Information Security as more than a computer or technology issue • Don’t take any abnormal computing activity for granted Cover the Basics – Policy & Procedures
  • 14. Page 14© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Patch Management • End-point protection (Antivirus, Antimalware) • Use password managers and strong passwords • Segregate your computing activity (secure vs non-secure) • Make time to review logs Cover the Basics –Tactical & Operational
  • 15. Page 15© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Consolidate Your Tools #2: Encourage a Culture of Security #3: Keep Projects Small #4: Use Native Features #5: Access Security Communities #6: Focus on Insurance vs Investment Things to Do – Policy & Methodology
  • 16. Page 16© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Defense in Depth is still important, but don’t have too many tools doing the same things • Integrated security hardware is preferable to completely separate hardware for each function #1: ConsolidateYourTools
  • 17. Page 17© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Reward employees that maintain high security • Don’t limit security to technology related areas. • Keeping desks clear • Managing confidential documents • Escorting visitors • Not picking up stray thumb drives • Keep workstations locked • Don’t discuss sensitive information in open spaces #2: Encourage a Culture of Security
  • 18. Page 18© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Regardless of staffing size, small discrete projects are more successfully implemented than massive, overarching projects • Projects that take more than 2-3 weeks for fully implement are likely to be partially deployed or get postponed repeatedly #3: Keep Projects Small
  • 19. Page 19© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • As much as possible, take advantage of the software that you’ve already paid for • Advantages of using native software include: • Compatibility with more hardware and software • More controllable updates (generally) • Broader support potential from vendors and staff #4: Use Native Features
  • 20. Page 20© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • There are a wide variety of mailing lists, forums and social media communities that focus on current security information: • http://seclists.org/ • http://secunia.com/community/advisories/ • http://myitforum.com/myitforumwp/community/groups/ • http://www.us-cert.gov/mailing-lists-and-feeds • Different countries will have a CERT team as well (Computer Emergency Response Team) #5: Access Security Communities
  • 21. Page 21© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Don’t get hung up on trying to provide ROI for security initiatives • Information Security is an insurance policy to keep the business operational; it’s a revenue protection mechanism • True, there are investment aspects to information security as well, but the focus must be on preventing business ending events #6: Focus on Insurance vs Investment
  • 22. Page 22© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Secure All Network Access #2: Audit all Computing Activities #3: Protect Data at Rest #4: Secure Integration With Other Networks #5: Effective Backup & Restore Options #6: Security Education Things to Do –Tactical
  • 23. Page 23© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Avoid clear text protocols, especially when it comes to administrative access -- User access = HTTPS -- Admin access = HTTPS / SSH Support strong and flexible password policies Support comprehensive role based usage and administration Use certificates, not only to ensure secure transmission, but to validate the clients side of the connection SSL/TLS and SSH are some of the technologies that should be employed for ensuring secure access #1: Secure Access
  • 24. Page 24© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. It’s not just enough to have secure access. It’s important that the access be auditable. Keep track of users and user activity You need to be able to track who accessed what, from where, and at what time. Keep details of administrative activity and provide robust reporting #2: Audited Access
  • 25. Page 25© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Encrypting data in motion is well accepted today. Encrypting data at rest is still a little iffy today. In the event that you are breached or suspect a breach, the statements that you are able to make about the encryption of the targeted data will be greatly affected by their encryption status #3: Data at Rest
  • 26. Page 26© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Remember that your “perimeter” extends into all other networks that you choose to connect to your own. This includes cloud computing vendors, mobile providers, outsourcers, business partners, etc. You must ensure that you do not undermine the security of your application through insecure integration with other platforms (i.e. mobile) or other providers. #4: Secure Integration with Others
  • 27. Page 27© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Disaster Recovery and Business Continuity are often considered when it is too late. Good security is not just about “protection,” but about availability and data integrity. Consider all the ways that your data could become inaccessible, and make some allowance for the most likely or most damaging scenarios. And, test, test, test! #5: Effective Backup & Restore Options
  • 28. Page 28© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Security education need not be elaborate, and it need not be costly Security education just needs to be: • Relevant to the current threats • Relevant to the user roles • Comprehensive (over time) • Actionable • Measurable • Periodic • Rewarding • Personally Applicable #6: Security Education & Awareness
  • 29. Page 29© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #1: Security in the cloud is an extension of security outside the cloud. #2: Auditing and reporting are some of the most important security needs that vendors take the longest to address. #3: The best security options in a cloud service cannot overcome the worst security practices by a customer (or provider). Tools are just a means of facilitating process. Considerations for the Cloud
  • 30. Page 30© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. #4: There are many legal components of cloud security that are overlooked until very late in the procurement process. Get your legal team involved early. #5: Your data is not automatically more safe on- premise or less safe in the cloud (or vice versa). You *might* have more control over your data on your own premises, but without the processes, tools or staffing to address issues, your data will be at risk. #6: Regular risk assessments are needed to ensure that the right level of security is being applied to your data Considerations for the Cloud (Continued)
  • 31. Page 31© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Keep things as simple as possible • Start with clear policies and procedures • Use native tools • Use trusted open source tools • Use “Community Edition” tools • Hire the right people • Regularly communicate with employees, management and key partners • Keep abreast of current risks Summary of “DO”s
  • 32. Page 32© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. • Don’t lose control of your data • If you use 3rd parties to host or manage your data, encrypt it • Don’t unnecessarily expose or discuss your security mechanisms in detail • There is some security in obscurity • Don’t ignore the security-trained resources that you have access to • Your staff is really trying to help you. If anything, educate them about how to make decisions with limited data • The security of your data is ultimately your problem • Don’t expect to off-load 100% of the security concerns your organization faces to your cloud vendors or other 3rd parties. Your practices are important too. Summary of “DON’T”s
  • 33. Page 33© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. There is NO SuchThing as a FREE Lunch
  • 34. Page 34© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved. Contact Info: Andrew S. Baker www.BrainWaveCC.com ABaker@BrainWaveCC.com http://XeeMe.com/AndrewBaker Question & AnswerTime

Notes de l'éditeur

  1. Understand the implications of your upgrades on other areas of the business (including other areas of IT)
  2. Understand the implications of your upgrades on other areas of the business (including other areas of IT)