4. Adrian Mikeliunas, CISSP
Certified Information System Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
30+ años de Ingeniero de Sistemas
12 años en el Banco Mundial,
4 años en el Fondo Monetario
7 años de Consultor para AT&T
Mobile: 571-335-5525
Adrian@ConquestSecurity.com
4
5. Identity theftIdentity theft
Labor ActionLabor Action
Trojan HorsesTrojan Horses
Script KiddiesScript Kiddies
Industrial EspionageIndustrial Espionage
Human FactorHuman Factor
Backdoor ownership of Host machinesBackdoor ownership of Host machines
HackersHackers
SniffingSniffing
CrackersCrackers
Process HijackingProcess Hijacking
Buffer OverflowsBuffer Overflows
Hostile Java AppletsHostile Java Applets
ECHELON/CARNIVORE – Government SurveillanceECHELON/CARNIVORE – Government Surveillance
Abuse of Civil AuthorityAbuse of Civil Authority
Compromise of centralized 3Compromise of centralized 3rdrd
Party Data RepositoriesParty Data Repositories
Legacy Systems
IP TheftIP Theft
Hostile VB ScriptsHostile VB Scripts
Denial of Service AttacksDenial of Service Attacks
Foreign Government EspionageForeign Government Espionage
Data Lineage
Rogue ApplicationsRogue Applications
Intrusion to commit a FelonyIntrusion to commit a Felony
Virus’sVirus’s
Worms
Spoofing
New Regulations
Social EngineeringSocial EngineeringWebsite AttacksWebsite Attacks
Theft of Trade SecretsTheft of Trade Secrets
Dumpster DivingDumpster Diving
Breach of Physical SecurityBreach of Physical Security
Terrorism
Peligros ExternosPeligros Externos
Seguridad y Desarrollo
6. Social EngineeringSocial Engineering
SniffingSniffing
SpamSpam
GopherGopher
WirelessWireless
emailemail
DNS Cache-based TrustDNS Cache-based Trust
NFSNFS
Poorly Maintained SystemPoorly Maintained SystemSecurity Sensor MisconfigurationSecurity Sensor Misconfiguration
IP TheftIP Theft
Admin ErrorsAdmin Errors
Privilege EscalationPrivilege Escalation
SendmailSendmail
Too many ServicesToo many Services TCP HijackingTCP Hijacking
Finger BuffersFinger Buffers
External DNS Zone TransfersExternal DNS Zone Transfers
Human FactorHuman Factor
Identity theftIdentity theftTFTPTFTP FTPFTP
Unauthorized Insider accessUnauthorized Insider access
Rogue ApplicationsRogue Applications
SabotageSabotage
HTTPHTTP
Instant
Messaging
Education and AwarenessEducation and Awareness
Disgruntled EmployeesDisgruntled Employees
Modem Hijacking
Bad Application Code
Policy adherencePolicy adherence
UDP ServicesUDP Services
NewsNews
Patch Management
Peligros InternosPeligros Internos
Seguridad y Desarrollo
7. Security Frameworks
Disaster Recovery
Security AwarenessSecurity Awareness
Security Health Checks
Security Policies and Procedures
PKI Readiness Reviews
PKI Infrastructures
Privilege Management
ConsultantsConsultants
Intrusion Detection
Training
Security Infrastructure
Network Forensics
Firewalls
Content Management
Secure Email
Legal/Regulatory
Portal Security
Business Continuity Planning
Incident Management
Platform Security
Computer Forensics
Website Protection
HR Policy
Event Monitoring
Domain Security
Wifi
Privacy
Collaboration/Partners
UsersCorporate Governance
Risk Assessments
Risk Analysis
Legacy Systems
Security Integration
Virus
Event Correlation
Security in Enterprise Architectures
Malware
Patch Management
Vulnerabilities
Control Standards
Intrusion Protection
The Human Factor
Log Analysis
Security Baselines
Webmail
Data Classification
Asset ClassificationAsset Classification
Data Lineage
Security Measurement
Mainframe Security
Security Management
¿Podemos Entender Seguridad?
Seguridad y Desarrollo
8. OECD Guidelines for the Security of Information Systems & Networks
Government Information Security Reform Act
Turnbull Report
Higgs Report
Smith Report
EU Privacy Directive
OECD - Corporate Guidelines GovernanceOECD - Corporate Guidelines Governance
HIPAA
GLBA
Sarbanes Oxley
Patriot Act II
SB-1386 California
FISMA
GISRAOMB-123
OMB-130
NIST 800 Series Standards
Bill C-6
ISO 17799
Basel II
Computer Fraud and Abuse Act 1986
Children's Online Privacy Protection Act of 1998 (COPPA)
Electronic Communications Privacy Act 1986
Foreign Corrupt Practices Act 1977
Freedom of Information ActFreedom of Information Act
Computer Security Act 1987Computer Security Act 1987
Digital Millennium Copyright Act 1998
FERPA
National infrastructure Protection Act 1996
UK Data Protection Act
BS 7799BS 7799
The European Union Directive on Data Protection
Anti-terrorism, Crime and
Security Act 2001
The Telecommunications (Data Protection and Privacy) Regulations 1999
FERC
Homeland Security Act
NIST
EU Regulatory Framework
for Electronic
Communications
BITS FDA
FFIEC
21 CFR part 11
NERCNERCNY Reg. 173NY Reg. 173
Legislation & Standards
Seguridad y Desarrollo
9. Seguridad y Desarrollo
Estado Mundial de Seguridad
PASADO
Virus
Lola
TI era responsable
PRESENTE
Gobiernos que espían
China
Korea
NSA, etc..
Corrupcción
SPAM & Malware
Usted es responsable
10. Seguridad y Desarrollo
Tecnología y Comunicaciones
♦ El Teléfono
– De atadura a liberación [movil]
♦ La Computadora
♦ De atadura a liberación [movil]
♦La radio y Television
– …
Todo implica movilidad!
11. Seguridad y Desarrollo
Seguridad y Ciudadania
♦ ¿Transparencia o Corrupcion?
♦ ¿Elecciones Electronicas?
♦ Reporte de Servicios
– DC 311 311.dc.gov
– NY 311 www1.nyc.gov/311
13. Seguridad y Desarrollo
Desarrollo Sustentable
♦ Proyectos Municipales y Estatales
– Comunicación
– Educación
– Salud
– Seguridad
– Trabajo
En un marco de: transparencia y anti-
corrucción
14. Seguridad y Desarrollo
Desarrollo Sustentable
♦ Micro Préstamos
– Fondos a pequeñas empresas
• http://www.kiva.org
• https://www.prosper.com
10:30 a.m. to 11:30 a.m.
“Cómo usar la tecnología para generar más Seguridad y Desarrollo local”,
Adrian Mikeliunas (Conquest Security).
REMEMBER MOST THREATS COME FROM INSIDE – SO IT’S IMPORTANT TO KNOW WHAT THEY ARE AND HOW THEY CAN MANIFEST THEMSELVES ON YOU AS ADMINISTRATORS..
WE CAN PICK ANY OF THESE ISSUES AND DRILL DOWN
FOR EXAMPLE
SOCIAL ENGINEERING –
INSTANT MESSAGING
SPAM
MALWARE (SPYWARE)
REMEMBER MOST THREATS COME FROM INSIDE – SO IT’S IMPORTANT TO KNOW WHAT THEY ARE AND HOW THEY CAN MANIFEST THEMSELVES ON YOU AS ADMINISTRATORS..
WE CAN PICK ANY OF THESE ISSUES AND DRILL DOWN
FOR EXAMPLE
SOCIAL ENGINEERING –
INSTANT MESSAGING
SPAM
MALWARE (SPYWARE)
So here we go again!
This tells us that Security is becoming the only way in which organizations can understand what they need to do, to protect their business and conform to the laws of the land. In addition, what they must NOW do to mitigate risk and prove compliance. We are also seeing the laws changing quickly here in the US. How do you navigate and understand what laws, standards are needed in your business?
The Europeans have adhered to a stricter privacy standard, believing that informational privacy is a human right and recalling the abuses of personal data by the Nazis during World War II. Europe has applied its data protection principles both to government and to private industry.
The European Union (EU) recently gave these principles constitutional status in the Data Protection Directive, which all EU member countries must implement. The agreement, which took effect in October 1998, caused concern in the United States because it prohibits trade with any nation that does not have adequate privacy laws. Negotiations on this issue between the United States and the EU ARE ongoing.