information security zero to 60 in 10 years howard muffler, information security officer joseph...
TRANSCRIPT
Information Security
Zero to 60 in 10 Years
Howard Muffler, Information Security Officer
Joseph Progar, Information Security Analyst
Embry-Riddle Aeronautical University
BUSINESS IMPERATIVES
Past: Business Imperatives
• Create a “Web Presence”– Convey information– Market to current and prospective
customers
• Expand research capabilities• Explore new markets – local to global
– Reach a wider audience– Defend against competitors
• Enhance student life
Past: Business Imperatives
• Develop online classes and classrooms
• Transition IT from service provider to business driver
• Security imperatives growing as well:– Pay more attention to information
protection!– Recognize the Internet as a dangerous
place
Present: Business Imperatives
• Internet = Requisite business tool– Anytime Anywhere– Empower constituents
• More Self-Services• More communication and collaboration
– Continue to innovate – expand markets further
– Think like an entrepreneur – act like a business
Present: Business Imperatives
• Security is a bigger concern than ever– Don’t end up “In the News”
(involuntarily)– Understand risks; mitigate
vulnerabilities– Formalize security responsibility and
functions– Ensure legal and regulatory compliance
Future: Business Imperatives
• Continue expansion in global markets
• Deliver product anytime and anywhere
• Expand brand recognition• Concentrate on niche competencies
Future: Business Imperatives
• Security will continue to be critical– Imbed awareness into organization
culture– Provide security which doesn’t conflict
with education, productivity, & job responsibilities
– Preserve constituent privacy– Ensure continued legal and regulatory
compliance
ATTACKS
Past: Attackers and their Motives
Attacker• Researchers• TeenagersMotivation• Proof of Concept• Fame / Infamy
Past: Common Attacks
• Viruses• Worms• Trojans• DOS• Web defacement• Scanning• Sniffing
Present: Attackers and their Motives
Attacker• Well educated individuals• Organized crimeMotivation• Money• Power
Present: Common Attacks
• Viruses, Worms, Trojans– Root Kits– Bot Nets– Key loggers
• DDOS• Phishing
Future: Attackers and their Motives
Attacker• Well educated criminals• Ideologies and BusinessesMotives• Money• Politics
Future: Common attacks
• Viruses, Worms, Trojans– Bot Nets– Blended threats
• Encryption– Holding data hostage
NETWORK
Past: Network
Router
Firewall
Internet
Campus
Present: Network
Firewall
Firewall
Firewall
Internet
Campus
Databases
APP
Web
Wireless
Web Servers
Applications
Router w/netflow IPS
Present: NetworkDefense in Depth
Future: Network
Request Access
Evaluate
Process
Deny
Allow
Remediate
ERAU SECURITY RESPONSE
Past: Security Response• Moving away from Laissez Faire (B.I.)• Early safeguards mostly afterthoughts• Focused on virus protection and basic
network security (perimeter protection)• Equipment misuse > info protection• SPAM threat not yet fully appreciated• Y2K = Resource hog
Past: Security Response
• Higher Ed = Prime hacker target (why?)• “Selling” security to upper management• Growing appreciation of “Insider” threat• Virus concerns = “Trio of Trouble” Plus• Stronger efforts re: Regulatory
compliance
Present: Security Response
• Formalization of security responsibilities
• Creation of formal polices and procedures
• Creation/expansion of education and awareness programs
• IT leadership in incident response• First formal Risk Assessment study
Future: Security Response
• Continue to view security holistically• Expand policies and procedures (ISO)• Address new “compliance hammers”• Formalize incident response – Not just
IT• Repeat Risk Analysis regularly• Implement security measures which
don’t just target specific vulnerabilities (adaptive, heuristic)
Five Steps to an Effective Information Security Program
1. Get Upper Management Support2. Start Small3. Adopt a Multilayered Approach4. Keep Security Flexible5. Improve Continuously
Thank You!
Q & A