the whole/hole of security a consultants perspective august 25, 2004 potomac consulting group don...
TRANSCRIPT
The Whole/Hole of SecurityA Consultant’s Perspective
August 25, 2004Potomac Consulting Group
Don Philmlee , CISSP
What this section will cover
• Perceived vs. Real Threats
• What your firm can do
• Assessing assets and risk
• What are some firms doing?
Perception vs. RealityPerception Reality
Good security is achieved by using the right technology.
Good security is achieved by good policies, procedures, educated users, understanding your assets and your risks as well as technology.
Our real security problem comes from external sources
Most security problems come from within – employees.
Our client information cannot be at risk. Our security has to be 100%.
Using a computer is a matter of accepting risk – the question is how much risk is acceptable and how well can it be minimized.
Cautions
• More out there then your firm can contend with
• Don’t buy into fear mongering
• Easy to squander a security budget
Security PerceptionsPerception Reality
User “Security is not my responsibility. “
Users are at the very heart how a firm’s security is implemented and can be the cause of success or failure of security controls.
IT We do what we can, but we don’t get the money or support to lock everything down.
You don’t have to lock everything down tight, just the assets that are most valuable and at the most risk. Mgmt often provides little guidance here.
Mgmt Security is handled by my IT department. We did an audit two years ago and came up clean.
Security is a mgmt issue and should be driven from the top down. Mgmt needs to know what security controls are in effect now.
What can you do?
• Security is attainable
• Organize your response
• Follow the concepts of Due Care / Due Diligence
• Security should be driven by management not the technicians
• Defend only what you need to
• Integrate your people, process and technology
Visualize Your Security Layers
Assess Your Systems
• Identify what does your firm values most:– Email– Document stores– Personnel database– Remote access– Client extranet– Etc.
Quantify Your Assets
• Assign a financial value to each asset. eg:– Cost to Build– Cost to Protect– Value to Competition– Cost to Recover
Evaluate Potential Risks
• Realistically decide what are the likely problems you may face. eg: – Hurricane– Terrorist attack– Hacker– Disgruntled employee– (basic disaster recovery planning)
Classic Risk Assessment
• Determine a quantitative value of qualitative assets.
• This is one approach to valuation using the CIA triad:
Confidentiality Integrity Availability Value
Email 3 2 3 8
Client files 3 2 1 6
Lit Supp DB 3 1 2 6
Recruiting DB
2 1 1 4
High= 3
Medium= 2
Low= 1
Now, Create a Plan of Action• Administrative Controls
– Security Policies & Procedures– Security Awareness Training
• Technical Controls– Quality Passwords– Workstation Lockdown– Etc.
• Physical Controls– Intrusion Detection– Locks– Etc.
Security is NOT a one-time effort
• Systems are dynamic
• Evaluate the implementation
• Vulnerability scanning
• External 3rd party assessments
Regularly Review Asset Security
• Just as financial systems are audited regularly, information systems should be audited on a regular basis as well
• Should be done once or twice a year or as technology changes are made
What are Most Firms Doing?
• Pay too much attention to the external problems
• Not enough attention to internal problems
• Not making security a management process.
Often Ignored Problems
• Workstation Lockdown
• Workstation Standardization
• Quality Passwords
• Laptop Security
• Home Networks
• Poorly done Security Policies
• Little or no Security Awareness Training
Workstation Lockdown / Standards
• Workstations should be Business Computers NOT Personal Computers
• Effective, but not popular
• Users download from the Internet
• Spyware has become a big problem
• Root Kits / Trojans / Worms
Quality Passwords
• Passwords are the keys to the kingdom
• First layer of user security
• They are NOT often taken seriously
• Use passphrases not passwords
• 8 character passwords are good, but 15 (or more) character passwords are better
Laptop Security
• Hotels / Home Networks
• Dsniff / webspy / spectorsoft / wireless sniffers
• Personal Firewalls (XP SP2)
• Encrypted Files (EFS)
Conclusions
• Security is an attainable goal
• Security has fast become a priority
• Challenge is to determine the best and most appropriate solution for your needs.
• Integrate your people, process and technology into security
• Security needs become part of your firm’s culture
Resources
• SANS Institute – www.sans.org
• CERT – www.cert.org
• CISecurity – www.cisecurity.org
• Microsoft – www.microsoft.com/security
