Objective
Raise awareness that IT Security is
1. an important business issue,
2. deserves the attention of the organisational leadership AND
3. must be part of an overall risk management strategy for the organisation
If you are a leader within an organisation
Ask yourself1. Has computer security received my attention?
2. Do I assist my IT team by providing them with the tools they need to do their jobs?
3. Do I support my IT team by abiding by the policies that have been set?
4. Do we have good company wide IT policies in place?
Probably not
Probably NO
So does Anyone care about Security?
When we buy a new car we
1. first install the state of the art alarm system
2. then we install tracker
3. then we insure the car so that if 1 and 2 fail we can still buy another and
4. then we employ security guards – at home, at the office and even on the streets
We always worry about loss or damage to our assets. We crave security !
Where are your company’s assets? Buildings Vehicles Fixtures and fittings Computer and office equipment
IS That it?
Information and Data held on computers and servers throughout the organisation is also a business asset
What is the information worth?
1. If your competitor got the names and details of all your customers would you have a problem?
2. If a fire destroyed all your buildings and your records what would you do?
3. If the day before a major tender your hard drive crashed– what would you do?
What is the information worth?
1. If your competitor got the names and details of all your customers would you have a problem?
2. If a fire destroyed all your buildings and your records what would you do?
3. If the day before a major tender your hard drive crashed– what would you do?
If you are in the service industry then your information is your PRIMARY asset. Impossible to put a value on how much it is really worth.
When thinking of your corporate assets INCLUDE your IT systems and the data that resides on them.
Step one to an effective security system
Know what you want to protect
What are the risks to your IT assets ?
Physical risks– Theft– Damage– Disaster– Catastrophe
Digital Risks– Viruses– Denial of Service– Unauthorised access– Abuse of the
systems– Malicious code
Physical Risks
Walls/ fences Locks Security guards Fire detection systems Fire proof safes Off-site storage of data/ backups
Viruses
Well Known Risk How many have AV software? How many paid for AV software? How do you manage the updates/ upgrades
process?– Do you have a policy?– Do you have someone responsible/accountable?– Are you protecting all the entry points?
Denial of Service Attack in which the organisation is denied access
to a specific service Known to have affected Global Brands such as
Yahoo and ebay Often carried out by exploiting known weaknesses
in the OS When a DoS attack happens Would you
– know you were being subjected to a DoS attack? – How would you react? – Is there a plan in place to deal with the event?
Unauthorised Access
unauthorised use of your corporate systems – Theft, unauthorised changes, deletion, and
unauthorised distribution
Issue of Data Security and Integrity Many ways these are carried out
– user error, ex-employees whose passwords are still active, Hackers etc.
Impact– From Minor embarassment to multi-million $$$
losses affecting many people
Unauthorised access 2
What do you do to limit unauthorised access?– Have you got effective password management? – Do users know never to give their passwords out
to anyone?– How well does your IDS work? – Have you investigated encryption?
You have a financial audit annually – when was the last time you had a IT security audit?
Abuse of the Systems
Generally internal to the organisation – Physical world – my guys having a long break– Virtual world – Use of IT resources for personal
use (lara croft manuals)
SPAM– Unsolicited email sent to people without their
consent
Mail relay– Use of your bandwidth to send mails (SPAM)
Abuse of the Systems (2)
Why is this an issue?– TIME
• Cost of SPAM to a 100 user organisation will exceed US $5,000 per year.
– Use of resources paid for by the organisation– Loss of business
Do you have an appropriate use policy? – For example no personal use of email during the working
day? No XXX material!Company policy on not sending out
SPAM mail?
Malicious Code
Software designed to cause losses/ damage? Some written by employees (fraud/ revenge) More publicity – Worms and Trojans
– Blaster Worm – takes advantage of error in s/w code to spread to many computers and then launch a coordinated attack on MS Windows update site
– Nachi worm – designed to clean the Blaster worm then delete itself on 1/1/2004
– Klez – around since April but still prevalent and exploits weakness in IE 5 and 5.5 without SP. Mails itself to people on the mailing list
Malicious Code (2)
How do you guard? Employee designed S/W – Difficult but needs
an effective “authorisation” procedure Worms – make sure AV is always uptodate
and ensure all latest patches are installed• Massive task given the number of patches being
released
Are you protecting all the different entry points?
Some other issues
IT Staff are probably stretched “fighting fires”
Range of skills unavailable – impossible to be good at everything
Intrusion Detection Systems generating so many alerts impossible to tell actual threats from “background noise”
Lack of management support – I don’t want to know your problems just “fix it”
Recap
Raise awareness that IT Security is
1. an important business issue,
2. deserves the attention of the organisational leadership AND
3. must be part of an overall risk management strategy for the organisation
ACT
Identify your IT assets and determine their value
Identify the risks and determine the likelihood of the risk
Formulate a policy to manage the risks Train the users in implementing the policy Use a firm that can help you design an
effective risk management strategy
Questions?
ContactVipul Shah
Tel: 2133040 or 0741 784 786
Email: [email protected]
Mtendeni Street, DSM
Top Related