the top 10 things you must do to protect security systems ......dave tyson cpp, cissp, mba dave’s...
TRANSCRIPT
The Top 10 things you must do to protect security systems from cyber a7acks DaveTysonCPP,CISSP,MBA
Dave’sBio
• 16YearsinPhysicalSecurityIndustry• ExecuAve
ProtecAon• InvesAgaAons• SecurityOfficers• Security
Systems• ChiefSecurity
Officer
• 20YearsinCyberSecurityIndustry• Chief
InformaAonSecurityOfficer
• CyberSecurityConsultant
• VulnerabilityTesAngCompanyOwner
• IndustryExperience&CredenAals• CerAfiedProtecAonProfessional• CerAfiedInformaAonSystemsSecurity
Professional• MBA,DigitalTechnologyMgt.• 2015PresidentASISInternaAonal
Agenda • LevelSeRng• HowCyberaTacksarecarriedout• Top10MustdoacAviAes
Why?
Ø 1in101emailsinmalicious
Ø 32%ofemailisactuallycleanenoughfordelivery
How?
• Itwasinsecuretostartwith• Itwasinstalledpoorly• Itwasn’tmaintainedofmonitoredcorrectly
What
• Interconnec6vity• Complexity
• It’saweakestlinkdiscipline
1. Doyouhaverequirementsforsecuringthetoolorsystem?
2. Diditstartsecure?3. Wasitinstalledwithasecuredesign?4. HavetheintegraAonpointsbeingconsidered?5. Isittestedforsecuritybeforegoinglive?6. Areallthebasicscovered?7. Howwillyouknowifthesystemisviolated?8. Whoisgoingtomonitorthesystemortoolfor
variance?9. Howwillitbemaintained?10. Usesecurityintelligencetounderstandyour
adversary’sapproach
Top10List
#1 - Do you have requirements for securing the tool or system?
• SecurityrequirementsmustbedevelopedifyouwanttoletthetechnicalteamknowyourexpectaAons!
#2 - Did it start secure?
• BeyondtheVendorstatements!
• Whatassuranceleveldoyourequire?
#3 - Was it installed with a secure design? • Wastheadocumenteddesigncreatedbyanexpert?
• Didthesecurityrequirementsmakeitintothedesign?
• Wasitinstalledaccordingtothedesign?
#4 - Have the integraHon points being considered?
• Forsystemsthatwillbeintegratedortalkedto,havethesecurityissuesbeenconsidered?
#5 - Is it tested for security before going live?
• Measure6Ames,cutonce!
• NoscoperestricAons!
• TesAngcriteriashouldbeaddedintorequirementsdocument!
#6 - Are all the basics covered?
• Doyouknowallwhowillhaveaccess?Eveninanemergency!
• Arethelockoutscomplete?• IstheredocumentaAon?
• Istrainingincluded?
#7 - How will you know if the system is violated?
• WhatdoesanaTacklooklikeforthissystem?
• Whatisthebaseline,whatdoesnormallooklike?
#8 - Who is going to monitor the system or tool for variance?
• Whowillmonitor?• WhatareescalaAonpaths?• WhataboutreporAng?
#9 - How will it be maintained?
• Whowillpatchandupdateit?
• Whataboutendoflifeandreplacement?
• Securitydisposal?
#10 - Use security intelligence to understand your adversary’s
approach
• Knowthyenemy!
Summary • Plantosucceed• Workthetop10listataminimum
• Decidehowmuchriskisacceptable
• Doorwaytothedatanetwork
[email protected]@cisoinsightshTps://www.facebook.com/cisoinsights/www.cybereasylearning.com