Headline here

1
Information Security To Serve Protect A.Alex
Fullick, MBCI, CBCP
2
Security is everyone's responsibility and "U"
are at the center. -Quote found on
www.nativeintelligence.com-
3
Agenda

• What is Security?
• Challenges Compromises
• What Does Security Do?
• Tools for Organizations
• Responding to an Incident / Incident Response
  Plan (IRP)

4
Agenda

• Quick Wins (Minimal to no )
• Awareness Training
• Security Resources

5
I.S. Challenges Compromises

• Numerous systems (applications)
• Many passwords (home office)
• Too much to remember (dont write it down)
• Too much IT babble (i.e. acronyms, terms)
• Employees dont understand impacts (WIIFM)

6
I.S. Challenges Compromises Contd

• Real data used for testing
• No awareness or training
• Virus / Internet Attacks
• Misplaced / Lost / Stolen media / Physical or
  social theft of property

7
I.S. Challenges Compromises Contd

• Too much access internally
• De-provisioning access
• Segregation of duties access creep
• IS Perceived as roadblock / IT only
• Late in project involvement

8
I.S. Challenges Compromises Contd

• The Risk is Real
• 25 report security breaches (75 dont)
• 74 of loss attributed to virus attacks,
  unauthorized access, physical proprietary
  (information) theft.
• 71 have no insurance policy to manage
  cyber-security risks
• 50 declined to report loss amount
• Source Computer Security Institute (CSI), 2006
  Computer Crime and Security Survey

9
What is Security?

• Procedures and Policies that protect
• Confidentiality, Integrity and Availability of
  company assets (CIA)
• Company reputation
• Processes
• Employees / stakeholders / shareholders

10
What Does Security Do?

• Security dept/professional (aka protection
  force)
• To protect data (data is considered
  confidential)
• Develop, implement and enforce security policies
  
• Educate employees with awareness presentations /
  material

11
What Does Security Do? Contd

• Security department contd
• Develop, monitor maintain infrastructure
  security ( Processes)
• Infrastructure and app. risk analysis,
  lockdowns, audits penetration tests.
• Provide defense against law breakers /
  attackers

12
What Does Security Do? Contd

• Security department contd
• Provide response procedures
• Support bus. units bus. development
• Helps ensure continued operations
• Risk Management

13
What Does Security Do? Contd

• Security department contd
• Align efforts to business objectives
• Chain of Custody
• Secure facilities

14
Tools for Organizations

• Intrusion Prevention Systems (IPS)
• Blocks network attacks
• Inbound attacks (hackers / viruses)
• Outbound attacks
• Monitoring
• Web controls
• Proxy servers
• Anomaly detection

15
Tools for Organizations Contd

• Corporate Policies
• Email / voicemail / wireless usage
• Corporate resources only
• Secure file transfer (FTP vs SFTP)
• Data used for testing purposes
• Media disposal

16
Tools for Organizations Contd

• Strategies for Malicious Behavior
• Policy enforcement ramifications
• Awareness acknowledgement of policies
• Periodic Internal Compliance Audits
• Quarterly audits, rolling audits

17
Tools for Organizations Contd

• Forced password resets
• 30 / 60 / 90 days renewal
• Retain password history
• Complexity requirements

18
Tools for Organizations Contd

• Authorization
• No generic IDs / sharing
• Data classifications / segregation of duties
• Data owner approves all access
• Vendor Relations
• Consultants/vendors follow policies
• 3rd party risk assessments

19
Tools for Organizations Contd

• Email Quarantine
• Phishing / malicious emails SPAM
• Training Awareness Programs
• Automatic screensaver / password protection

20
Tools for Organizations Contd

• Laptop security mechanisms
• Fingerprint reader
• Full disk encryption
• GPS locator
• Lock to tables
• Security token (SecurID)

21
Responding to a Security Incident

• Incident Response Plan (IRP)
• Computer Security Incident Response Team (CSIRT)
• Roles Responsibilities of Team Members
• Similar to Crisis / DR team
• 3 components

22
Responding to an Incident Contd

• Component 1 - Handling Process
• Detection
• Containment
• Eradication

23
Responding to an Incident Contd

• Component 2 - Recovery Process
• Assess Damage
• Reverse Damages
• Nullify the Source

24
Responding to an Incident Contd

• Component 3 - Post Mortem/Follow-up
• Review the Incident
• Review the Handling of the Incident
• Documentation
• Reporting

25
Quick Wins (Low )

• 1 Lock your desktop / laptop
• 2 Encrypt all laptops
• 3 - Maintain a clean desk
• 4 Dont keep data longer than necessary
  dispose properly (i.e. shred)
• 5 No client data for test/dev

26
Quick Wins (Low )

• 6 Data transmissions through secure methods
• 7 - Wear ID badges (always)
• -Includes visitors / vendors / consultants
• 8 Limit access (physical systems)
• 9 Consultants follow your policies
• 10 Report lost material immediately

27
Quick Wins (Low )

• 11 Enforce strong passwords
• 12 Include I.S. in BCM tests/exercises
• 13 Early project involvement
• 14 Employee background checks
• 15 Continuous review / awareness

28
Awareness Training

• Annual reviews
• Internal newsletters
• Email campaigns
• Screensaver / desktop wallpaper
• Workshops (Lunch Learn)

29
Awareness Training

• Focus Groups
• Policy acknowledgements
• Table top exercises (work with DR/BCP groups)
• Radio / TV commercials
• Post Memos / Communications

30
Awareness Training Contd

• Monitor real-world incidents
• Certification for professionals

31
Security Resources

• Security Good Practices / Methodologies
• SANS Institute
• National Institute of Standards and Technology
  (NIST)
• Computer Security Institute (CSI)
• GASSP (General Accepted System Security
  Principles)
• International Standards Organization (ISO 17799)
• IETF ( Internet Engineering Task Force -
  Security Handbook)
• ISSA (Information Systems Security Association)

32

• because bail is cheaper.
• Jason W. (I.S. Analyst) -
• The Donkey, The Rooster and the Lion
• Aesop Fable
• Moral False confidence is the precursor of
  disaster.

33
Thank You! A.Alex Fullick, MBCI,
CBCP afullick_at_equitable.ca alex_at_stone-road.com