Management of Technology BUS 656Information Security for Business

Paul Melson

Manager , Information Security

September 29, 2010

OK, so how bad is it really?

• Since 2005, 510,544,441 personal records were exposed in 1,735 breaches.

• Every computer on the Internet is attacked an average of 4 times a day.

• In Q2 2010, Symantec wrote 457,641 new anti-virus signatures.

• Internet-based fraud set a new record in 2009, $560 million in losses to US companies.

2

Are you scared? …or skeptical?

3

The sky is always falling!

• Every network is under constant attack.

• The people that work for you make mistakes.

• If you have computers, data, or money your business is worth exploiting for hackers.

• The world continues to turn.

• The goal of security is to enable your business to survive the hostile environments in which we work and communicate.

4

Information Security’s Business Value

• Compliance with laws and standards– Avoid fines and penalties

– Support the image of your business as trustworthy

• Fraud prevention and response– Avoid financial losses

– Minimize loss, improve recovery

• Data breach prevention and response– Avoid financial losses and damaged image

– Minimize impact and duration of the breach

5

How Information Security Works

The Goals of Security

• Confidentiality

• Integrity

• Availability

7

Policy

• Policies are just rules and principles.

• Policies are useless if nobody reads them.

• A good security policy ties the desired outcomes (i.e. “mitigate risk,” “ensure compliance”) to high-level tactics (i.e. “password rotation,” “hard drive encryption”).

8

Controls

• Preventive

• Auditing

• Monitoring

9

Tools of The Trade - Preventive

• Firewall – Network filtering and monitoring device. Used to protect trusted systems from untrusted systems.

• Antivirus – Software that runs on a computer and scans files as they are saved or opened for patterns (“signatures”). Known “bad” files are deleted.

• IPS – Network “sniffing” device that sits on the network. Works like antivirus, but for network packets instead of files. Known “bad” traffic is dropped before it reaches sensitive systems.

10

Tools of The Trade - Auditing

• Vulnerability Scanning – Software that scans addresses and ports on a network looking for known vulnerabilities and reports on them. Used to find weak spots before attackers do.

• Penetration Testing – Hiring specially skilled consultants to try and hack and “social engineer” their way into your systems from the outside to replicate a hacker attack.

11

Tools of The Trade - Monitoring

• SIEM – Software that collects log data from multiple sources (firewall, IPS, servers, etc.) and correlates them looking for suspicious behavior or policy violations. Also used to investigate security incidents.

12

Risk Management

• Risk management is what you do once you realize that you can’t do it all right now.

• Identify, Assess, Prioritize, Act

• Risk = Impact x Likelihood

• On prioritization:– Qualitative

– Quantitative

– Risk scoring mechanisms are only good at describing things relative to each other in the same environment, and they get better over time.

13

Risk Management

• What can we do with risk?

– Avoidance

– Transference

– Mitigation

– Acceptance

14

Incident Response

• You will have a very bad day.

• More than once

• Prepare, Identify, Contain, Recover, Learn

• Today, this is your best and only hope.

15

Security Case Category: Malware

16

Awareness & Consultation

• This is your chance to get ahead of the curve!

• Raising awareness gets you in the loop.

• Goodwill

• Executive Reporting

– Top Security Risks

– Risk Mitigation Plans

– “Big Deal” Events

– Relevant Trends in Metrics

17

How IT Security Fails

You say “potato,” I say “No.”

• Security and compliance tactics are naturally risk-averse

• All successful businesses take calculated risks

• Clear direction from leadership on risk is key

22

Communication

• TCP/IP, APT, AV, SIEM, NIDS, HIPS, ISO, COSO

Information Security has its own cryptic language.

• CPA, PAR, SOP, MCS, APR, APV, MBI, PEST

…and so do you.

• Mission statements and corporate values can become a Rosetta Stone

• Al$o, there’$ a $econd univer$al language

23

Why Buying Security Fails

• In 1990, if you had a firewall with a default deny policy and were enforcing strong passwords, you were secure. By 1996, it didn’t matter anymore.

• In 2002, if you had a regimented security patch cycle for your servers and were scanning your network for known vulnerabilities, you were secure. By 2007, it didn’t matter anymore.

• In 2010, the pendulum hasn’t swung back yet.

24

Discussion