Security Planning Essentials - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Security Planning Essentials

Description:

Security Planning Essentials. By: Dan Miller. Wipfli. Network Security Challenges ... www.microsoft.com/security Security best practices. Questions? ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 30
Provided by: joannb
Category:

less

Transcript and Presenter's Notes

Title: Security Planning Essentials


1
Security Planning Essentials
  • By
  • Dan Miller
  • Wipfli

2
Network Security Challenges
  • Enterprises are expanding
  • Information theft is exploding out of control
  • Computer crime, fraud and destruction cost
    billions of dollars
  • Network security a sensitive issue for CIO's and
    network managers alike
  • Information Privacy and Security
  • Connectivity is exploding

3
Understanding the Fundamentals
  • The Ten Immutable Laws
  • Eight Steps to take to security

4
The Ten Immutable Laws
  • If a bad guy can persuade you to run his program
    on your computer, its not your computer anymore
  • If a bad guy can alter the operating system on
    your computer, its not your computer anymore
  • If a bad guy has unrestricted physical access to
    your computer, its not your computer anymore
  • If you allow a bad guy to upload programs to your
    web site, its not your web site any more
  • Weak passwords trump strong security

5
The Ten Immutable Laws
  • A machine is only as secure as the administrator
    is trustworthy
  • Encrypted data is only as secure as the
    decryption key
  • An out of date virus scanner is only marginally
    better than no virus scanner at all
  • Absolute anonymity isn't practical, in real life
    or on the web
  • Technology is not a panacea

6
Getting Started with the Process
  • Identify the assets you want to protect
  • Create policies that support the security
    philosophy of the organization
  • Establish a baseline for your security posture
    with an assessment
  • Create a gap analysis
  • Identify and prioritize your risks

7
The Process Contd
  • Develop a remedial action plan, remediate and
    test the results
  • Manage the process
  • Train your users
  • Audit, audit, audit

8
Identify the Assets to Protect
  • Involve top management
  • Identify your most valuable systems and
    information
  • Make it difficult for unauthorized users to
    access them

9
Identify the Assets to Protect
  • Firewalls are good
  • Intrusion detection systems are good
  • Establish security in layers
  • Physical security is critical
  • Virus control is critical
  • Backups are critical

10
Firewall Deployment
DMZ
  • Corporate Network Gateways
  • Protecting internal network from attack
  • Most common deployment point

Demilitarized Zone (DMZ) Public Servers
Human Resources Network
Corporate Site
11
Firewall Deployment
  • Corporate Network Gateways
  • Internal Segment Gateways
  • Protect sensitive segments (Finance, HR, Product
    Development)
  • Provide second layer of defense
  • Ensure protection against internal attacks and
    misuse

DMZ
Demilitarized Zone (Publicly accessible Servers)
Human Resources Network
Corporate Site
12
Firewall Deployment
  • Corporate Network Gateways
  • Internal Segment Gateways
  • Server-Based Firewall
  • Protect individual application servers
  • Apply granular access control beyond application
    level

Public Servers
DMZ
Human Resources Network
Corporate Site
13
Designed for Security
  • It is always easier to design security into an
    application or an architecture in the beginning
  • Always have upper management involved in setting
    the overall security policy for your organization
  • Involve stakeholders from various departments in
    the design process

14
Create Corporate Policies
  • Acceptable usage
  • Internet usage
  • E-Mail usage (communications)
  • Site Security
  • Acquisition and disposal of assets
  • Change management
  • Audit
  • Employee monitoring

15
Establish a Baseline
  • Conduct an assessment of your
  • People
  • Do you have the right number of people, trained
    in the right disciplines
  • Process
  • Are your processes used to manage the assets
    appropriate
  • Technology
  • Are your assets configured properly, sized
    appropriately and protected as required

16
Identify and Prioritize Your Risks
  • You can probably accomplish 80 of your security
    needs with 20 of the effort and money
  • The last 20 of your security will be very
    expensive
  • If someone wants to compromise your systems bad
    enough, they will
  • Make it tough for them

17
Develop a Remedial Action Plan
  • Create the project plan
  • Assign accountability
  • Apply remedial action
  • Test the results

18
Manage the Process
  • Monitor the progress of the plan
  • Involve all business units in security design
  • Make any policy violations very painful
  • Conduct vulnerability assessments regularly
  • Monitor your forward deployed devices constantly
  • Create a disaster recovery plan

19
Technical Processes
  • Backups
  • Off-site media rotations
  • Frequent test restores
  • Virus control
  • Up to date software
  • Scan and filter e-mail and web content
  • Security updates
  • Apply vendor supplied security patches

20
The Patch Management Process
21
Security Errors
  • Top 7 Management errors from SANS
  • Assign untrained people to maintain security
  • Failure to align security with business problems
    and strategic initiatives
  • Failure to make necessary process changes
  • Failure to recognize the value of information
    assets

22
Security Errors Contd
  • From SANS
  • Approve short term fix for long term problem
  • Pretend security will go away if ignored
  • Reliance on a single control solution

23
Train Your Users
  • Do they understand safe computing practices
  • Do they know the importance of good passwords
  • Do they understand the value of your
    technological assets
  • Would your users know a security breach if they
    saw it
  • Would they know what to do
  • Policies must be clearly and consistently
    communicated

24
Common User Security Errors
  • Passwords on Post-it notes
  • Computers left unattended
  • Use poor passwords
  • Open e-mail attachments
  • Download software from the web
  • Fail to backup data

25
Audit, Audit, Audit
  • Review your logs
  • Security
  • Virus control
  • Backup
  • System
  • Firewall
  • IDS

26
Auditing Policy
  • You must have an audit policy in place!
  • Without it, you have no way to tell when
    something unusual or bad happens
  • You may be required to have it for legal,
    insurance, or compliance reasons
  • What goes in the policy is dependant on your
    organizational goals and objectives

27
Remember
  • Be forever vigilant!

28
Reference Sites
  • www.sans.org Security alerts and articles
  • www.securityfocus.com Policy development
  • www.nwc.com Network security articles
  • www.microsoft.com/security Security best
    practices

29
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Security Planning Essentials" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!