ByManish Dixit

CISOAppin Security Group

Trends Attacker Motives and Methods Areas of Concern Typical Assessment Findings ISO-17799 & NIST Typical Remediation Costs

Every Year Dollars are Lost due to Cyber Criminal Activity

Greatest Loss = Proprietary Information

Second Greatest Loss = Denial of Service

Availability

Integrity Availability

Confidentiality

Security

Elements to Protect

Financial Rewards Politics Show Off Personal Gratification They know they can

Web Site Research User Groups Email Staff Call Modems Read Trash Impersonated Someone You Trust Scan Your Systems War Drive Your Wireless

Use Known and Unknown Exploits Viruses, Trojans & Worms Phishing Attack Partner Networks to Gain Access to

Yours Sniff Your Traffic Brute Force Passwords Spam You Denial of Service

Intellectual Property Customer’s And Staff’s Privacy Confidential Data System Availability Reputation Regulatory Challenges

Roadmap Establishes Baseline Strengthens Security Provides Due Diligence Efficient Formal Audits Finds the Weak Areas

Holistic ApproachComprehensive reviews (infrastructure, server, application, etc.)Based on Organizational Security Policy, and taking full life cycle into accountConsider people and processes, as well as technology

Sensible, accessible documentationHelpful to executive decision-makers: explanation of risk in business termsHelpful to managers: project plans, prioritization of tasksHelpful to technical staff: clear standards, specific recommendations

Threat Modeling Identifying assets Identifying threats Making qualitative (or quantitative) assessments of risk

1. Policies & Procedures2. Security Awareness3. Access and Authorization4. Patch Management5. Mis-Configured Systems & Applications6. Encryption & Digital Signatures7. Incident Handling Processes8. Disaster Recovery & Business Continuity9. Physical Safeguards10. Intentional Bypassing of Security Controls

Communicate Your Organizations Commitment to Security

Provide a Baseline and Roadmap for Security Controls

Demonstrate Due Diligence

All Pertinent Security Control Information Communicated

Realistic – Manageable

Enforceable

A well trained user will assist your security efforts

Time needs to be invested in user training

A well trained user usually requires less help desk support

Weak Passwords

Sharing Accounts

Not Enforced

Easy to Exploit

Prevention Strong Security Policies Utilize OS Complex Password Configuration Implement Technical Authorization, Authentication

and Accounting Mechanisms (AAA) Implement Two-Factor Authentication

Hard to Manage

Less Window of Opportunity

Exploits are coming too fast

Can Break System

Require Resources

Prevention Strong Patch Management Mechanisms – Automate Add Intrusion Prevention Mechanisms

Assure only needed or updated Services

Strengthen SNMP Strings

Secure Wireless Networks

Remove Default Settings

Filter Outgoing Access at Firewall

Protects Against:

Forging

Impersonation/Spoofing

Eavesdropping

Intercepting

Denial of Receipt or Send (Non-Repudiation)

Intrusion Prevention/Detection

Anti-virus Mechanisms

Logging/Auditing

Strong Policies and Documentation

Formal Plan

Prioritized Systems

Standard Backup Process

Tested Backups

Redundant Systems

Visitor Badges

Building & Data Center Access/Monitoring

Fire Prevention/Suppression & Detection

UPS Testing and Load

Installing Modems Wireless Networks Gotomypc or other remote access items Unauthorized Software – Games, Screensavers,

etc

Prevention Strong Security Policies Centralized and Managed Intrusion Prevention

Mechanisms Implement Network Admission Control

National Institute of Standards & Technology Referenced Throughout Most Regulations

Policies and Procedures Are Critical to NIST Best Practices

ISO-17799 is Industry Recognized Standard for Security

ISO-17799 Covers 10 Areas of Security Each ISO-17799 Area Has Individual Security Items If You Follow NIST and ISO-17799 You Would

Have a Strong Security Posture and Should Pass Almost Every Audit

Combine NIST 800-26 Levels and ISO-17799

Security Policies Organizational Security Asset Classification & Control Personnel Security Physical and Environmental Security Communications & Operations Management Access Control System Development & Maintenance Business Continuity Management Compliance

Level 1 – control objective documented in a security policy

Level 2 – security controls documented as procedures

Level 3 – procedures have been implemented

Level 4 – procedures and security controls are tested and reviewed

Level 5 – procedures and security controls are fully integrated into a comprehensive program.

Business Continuity

0

1

2

3

4

5

6

Business ContinuityManagement Process

Business Continuity &Impact Analysis

Writing & ImplementingContinuity Plan

Business ContinuityPlanning Framework

Testing Maintaining &Reassessing BC Plan

Actual Practice

Peer Comparison

NIST Level

It is important to budget for remediation

A security assessment without remediation efforts is a waste of time and money

Remediation usually involves resource time and product cost

It is important to budget for one time and reoccurring costs

Prioritize Risks and Remediation Steps

Align Business and IT Strategies

Establish Resources – Internal, External, Products

Establish Internal SLAs between IT and Business Units

Thank You

www.berbee.com www.cisco.com www.ibm.com www.microsoft.com www.rsa.com www.gocsi.com www.sans.org www.nist.gov

Introduction QuestionsBackground Techniques Prevention Demo Conclusions

Thank You

Contact :- 0612 – 6544454 , 9031044450 /51/52/53

Emal : contact@appinsecuritygroup.com info@appinsecuritygroup.com

Website : www.appinonline.com