or, how to spend your weekends… fall 2007 agenda general overview of the ciso arena technical...
Post on 20-Dec-2015
228 views
TRANSCRIPT
Agenda
General Overview of the CISO Arena Technical Security Information Security Strategic Security
Kirk Bailey – CISO, UW
Ernie Hayden – CISO, Port of Seattle
Q & A
Technology Security
Information Security
• Firewalls
• Intrusion Detection
• Network Security
• Viruses, Worms, Crimeware
• System Hardening
• Encryption
• Engineering
Technology
Problems
• Risk Management
• Business Continuity / Disaster Planning
• Intellectual Property
• Business / Financial Integrity
• Regulatory Compliance
• Industrial Espionage
• Privacy
• Forensics & Investigations
BusinessProblems
Chart Based on Forrester, April 2005
And Enhanced/Modified by Kirk Bailey and Ernie Hayden
Critical Security Problems
StrategicSecurity
SECURITY PROFESSION EXPERTISE LEVELS
R E S E A R C H
• Terrorism & CyberCrime
• Regional Interests (Including Cyber and Natural Disasters)
• Nation State Interests
• Intelligence
• Professional Alliances
• Politics
• Strategies and Tactics
WHY “STRATEGIC SECURITY”
It is not pretty out there…
.
.
.
.
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
.41,000,000 of ‘em out there!
“In the world of networked computers every sociopath is you neighbor.”
Troubling Realities
Dan Geer Chief Scientist
Verdasys
High
Low
1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers Technical Skills
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
Cross site scripting
Stagedattack
Cyber Attack SophisticationContinues To Evolve
bots
Source: CERT 2004
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.. .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
.
.
..
...
.
.
.
.
.
.
.
.
.
.
.
.
.
..
.
Species 8472
Cybercrime and Money…
McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”
Symantec Internet Security Threat Report
Threat landscape is more dynamic than ever
Attackers rapidly adapting new techniques and strategies to circumvent new security measures
Today’s Threat Landscape.. Increased professionalism and
commercialization of malicious activities Threats tailored for specific regions Increasing numbers of multi-staged attacks Attackers targeting victims by first
exploiting trusted entities Convergence of attack methods
Kirk Bailey, CISSP, CISM
Objectives (Confidentiality, Availability, Integrity)
Intelligence
Trusted Alliances
Innovative Thinking
Risk Management (Liability Protection)
Compliance Challenges Contractual Statutory & Regulatory Industry Standards
Ernie Hayden, CISSP
Key Functions: Information & Computer
Security
Business Continuity/Continuity of Operations (COOP)/ Disaster Recovery Planning
Privacy
Critical Infrastructure Protection Policy
Emergency Communications
A Sampling of Projects Administration
Budgets Audits (e.g., Deloitte/State)
Policies & Procedures Appropriate Use –
Update/Revision Security Policy - General Cell Phone Disposal RCW 19.255 Response
Security Management Security Strategy Top 10 List Metrics, Dashboard Security Governance Security Domain Architecture
Committees Architecture Management
Board Corporate Security Council Change Management Board
Technology Issues VOIP Security Web Application Security
Employee Awareness Monthly Brownbags Secure Coding – Web
Development Home PC Security Training
BCP/DRP Incident Response Procedure IT Disaster Recovery Policy Drills, Tabletops NIMS & ICS
Emergency Communications
SendWordNow WebEOC - Emergency
Operations Center Visualization Tool
Strategic Security Plan Elements
Organization & Authority Controls Policy Risk Management Program Intelligence Program Audit & Compliance Program Privacy Program Incident Management Education & Awareness Program Operational Management Technical Security & Access Controls Monitoring, Measurement & Reporting Physical & Environmental Security Asset Identification & Classification Employee & Related Account Management Practices
What Do You Think?
Prioritize this task/response list: Key Application Vendor Contract Review 100’s of Incoming Spam Complaints Forensic Report on New Rootkit
Compromises (30 machines) Patch Management Process Concerns Email Service Interruptions New Credit Card Processing System for
Husky Stadium Requires CISO Approval Electronic Harassment of an Employee
Thoughts… The CISO of the future is the one
who can run the risk-management organization.
The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space. Quotes by Paul Proctor
Technology Security
Information Security
• Firewalls
• Intrusion Detection
• Network Security
• Viruses, Worms, Crimeware
• System Hardening
• Encryption
• Engineering
Technology
Problems
• Risk Management
• Business Continuity / Disaster Planning
• Intellectual Property
• Business / Financial Integrity
• Regulatory Compliance
• Industrial Espionage
• Privacy
• Forensics & Investigations
BusinessProblems
Chart Based on Forrester, April 2005
And Enhanced/Modified by Kirk Bailey and Ernie Hayden
Critical Security Problems
StrategicSecurity
SECURITY PROFESSION EXPERTISE LEVELS
R E S E A R C H
• Terrorism & CyberCrime
• Regional Interests (Including Cyber and Natural Disasters)
• Nation State Interests
• Intelligence
• Professional Alliances
• Politics
• Strategies and Tactics
THANKS!!
Kirk Bailey, CISSP, CISMCISO, University of Washington206-685-5475
Ernie Hayden, CISSPCISO / Manager Enterprise Information
SecurityPort of Seattle2711 Alaskan WaySeattle, WA 98121
206-728-3460