Security Management Solutions Methodology

By William Clark

How I’mMy name is William Pierre Clark and I’m theOwner of WilliamHomes, Sarl a small IT Consulting company.

Tel: 06 76 75 93 13 Clark@williamHomes.com

• I’m a Microsoft MCSE, Internet Security System and Cisco Certified Specialist in the US.

• I got a MBA from Schiller international, with a specialization in Multinational Business Management.

• In my live I had worked for company like IBM, Honeywell, Commodore, Thomson, etc. I have many years experience in the computer business, including 10 years in Arizona as the owner of Clark Consulting Corp,

• I’m half American with an Irish father and a French mother from Podensac (33).

Examples of Data Breaches in 2006 (source: www.privacyrights.org )

Vulnerabilities Are On the Rise

Tactical security solutions can’t stop span to enterprises

• Yes, organizations are adding security defenses but they continue to proceed on a tactical basis with point technologies to address the threat du jour. A laptop gets stolen at one company so another implements laptop encryption. Patient data is leaked through an unprotected email so the next hospital implements a data leakage appliance at its network gateway. These solutions may provide a bit of relief but they don’t talk amongst each other and are glued onto the infrastructure rather than amalgamated into the data model.

• Simply stated, tactical security defenses grow as a function of the threat landscape, changing legislation, and budgets –- slowly and steadily. At the same time, confidential data growth and distribution proceeds unabated while the number of vulnerabilities continues to climb. This creates an ever-growing risk gap that increases the threat to information assets on a daily basis (see Figure 4). Clearly, enterprises need a new way to address these problems systematically and quickly to break this vicious cycle.

The Confidential Data Security Risk Gap

(see Figure 4).

Type of attacks

« Cheval de Troie » (en anglais trojan horse)

How Much Does a Hack Cost? (1) • We're thinking of a number between $100,000 and $50 million; here's how to

handicap your cost per incident a little more closely.

• That's what a new report released today by Trusted Strategies concludes: The average cost per event to an organization hit with stolen account privileges was $1.5 million, versus $2,400 for a virus attack, according to the report, which analyzes real data from publicly disclosed cybercrime cases.

• Average financial loss per case was more than $3 million.

• 78 percent of attackers in these cases did their dirty deeds from a home PC with stolen credentials, rather than any sophisticated hacking techniques.

• 84 percent of computer crimes could have been prevented if the computer that was broken into had been verified as an authorized device.

• Most attackers have no relationship to the victim, which goes against conventional wisdom that the insider threat is the real security risk.

• And most organizations that were attacked had checked user ID and password credentials, according to the report, but not whether the computer that got in was legit. Among those attacks, 78 percent were committed from the attacker's home and 5 percent on-site. Some 17 percent of the cases didn't specify where the attack originated.

• But in about 16 percent of these cases, checking the authenticity of the machine wouldn't have halted the breach because these attacks were either from insiders, or they were denial-of-service and other malware attacks that don't use logons.

• Outside attackers committed 79 percent of the crimes where user accounts were infiltrated and former employees were the perpetrators in 21 percent of these types of breaches. And overall, 57 percent of attackers had no relationship with the victim organizations, 22 percent were former employees, 14 were current employees, and 7 percent had a customer or supplier relationship or similar "connection" to the victimized organization.

• Government (23 percent), retail (22 percent), high tech (20 percent), and financial (16 percent) were the top victims of attacks, according to the report.

How Much Does a Hack Cost? (2)

The cost of insider hacker

43% of attack are from inside and 57% from exterior

Security for beginners

Let take a tour on the security evolution technique !

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system

passwords and other security parameters3. Protect stored data4. Encrypt transmission of sensitive information across

public networks5. Maintain a Vulnerability Management Program6. Use and regularly update anti-virus software7. Develop and maintain secure systems and applications8. Implement Strong Access Control Measures9. Restrict access to data by business need-to-know10.Assign a unique ID to each person with computer access11.Restrict physical access to cardholder data

Today’s Information-centric security silos

Information-Centric Security Architecture

The Information-Centric Security Architecture at Work

ISO 17799 contains best practices of control objectives

and controls inthe following areas of information

security management:

ISO 17799

• Security policy,• Organization of information security,• Asset management,• Human resources security,• Physical and environmental security,• Communications and operations management,• Access control,• Information systems acquisition, development and

maintenance,• Information security incident management,• Business continuity management and Compliance.

The (VPN ou Virtual Private Network) Solution from RSA

Let put this Snack to all of your servers

Internet Monitoring Security Center

10 tips for creating a network security policy

1. Identify and locate your assets. Assess the importance of both information and material goods. Example: A computer may cost $3,000 to replace. The information on that computer might cost $60,000 to replace.

2. Perform a threat risk assessment. Categorize the likelihood of assets being stolen and the resulting damage. So, if a company has a public Web server, the cost of it going down from a denial-of-service attack might be the time required to bring the system back online--let's say, two hours from the IT department. If this Web server is used to perform financial transactions, then the cost must also include the number of purchases lost while the server is down.

3. Adopt a "need-to-know" philosophy. The CEO does not need a password to enable him to gain access to the accounting system. If he has access and someone finds out his password--e.g., he uses one password for all systems--it can be misused.

4. Perform an informal site survey of your organization. You can either relocate valuable assets to more secure areas or take extra measures--additional locks, smart cards, security personnel, etc.--to guard these assets.

5. Institute a standard for classifying all information. An advertising plan might be restricted to specific people in the marketing and business development departments. An engineering document that details trade secrets would be restricted to specific engineers.

10 tips for creating a network security policy (2)

6. Ascertain who needs access to external resources. This is an extension of the need-to-know philosophy. Although cumbersome, it may be necessary to adopt strict policies regarding the use of the Web and the downloading of third-party software from unknown sites.

7. Create a disaster recovery plan. Pick a worst-case situation--usually such plans assume the building has burned down--and consider how you will stay in business and service your customers. This exercise will serve to highlight the data and equipment that is critical to your operation. It will also make you think about how long your operation can be "down" without suffering irreparable harm.

8. Appoint someone to be responsible for security policy enforcement. This can be one person or a group of individuals.

9. Review the impact of any intended procedural changes on your employees. Will they be capable of shutting off alarm systems, changing passwords every month, locking their drawers every night and using password-enabled systems?

10. Understand that the implementation of any security policy needs regular validation. Reviewing the security policy six months after it was written will frequently uncover a few major deficiencies.

Thank

Question and Answer