Presentation (2010)

______ Security Solutions

Sorry Image Redacted for Privacy

Security

• Overview: What is security?

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Presented by. Peleg Holzmann, CISSP

______ & Security• ______

To ....


Overview: Gain Security Awareness

When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security.

______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization.


A few questions

1. What is your corporate vision for security?

2. Where are you today?

3. Where do you want to be?

4. How do we get there?

5. Did we get there?

6. How do we keep the momentum going?


One Answer

We can help you answer all these questions!



CIA Triangle


Risk


Risk is

the likelihood of the occurrence of a vulnerability

multiplied bythe value of the information asset

minus -

the percentage of risk mitigated by current controlsplus +

the uncertainty of the current knowledge of the vulnerability.

Risk


$25,000

$200

Threat

$1000

$1000

Layered Approach – Defense in Depth

Information Authorized Personnel

Technology People

RedundancyMonitoring Systems

Patches &Updates

Host IDS

Firewalls

Network IDS

Network IPS

Proxy Servers

Encryption

Backups

Access Controls

Policies and Laws

Internet

Networks

Systems

People

Education and Training

Security Planning(IR, DR, BC)


Security Awareness


Awareness Training Education

Attribute “What” “How” “Why”

Level Information Knowledge Insight

Teaching Method Media-Videos-Newsletters-Posters, etc.

Practical Instruction-Lecture-Case study workshop-Hands on practice

Theoretical Instruction-Discussion seminar-Background reading

Test Measure True/FalseMultiple Choice

(Identify Learning)

Problem solving(Apply Learning)

Essay(Interpret Learning)

Impact Time Frame

Short Term Intermediate Long Term

Continual Service Improvement


Typical Information Security Audit Procedure

Step 1:Ascertain Applicable Laws

Requirements

Step 1.1:NIST/ISO Security Standards


Requirements Continued

Information Security

Information Security Management System

Standards / Frameworks (ISO 27000)

Pro

cess

es

Po

lici

es

Pro

ced

ure

s

Pra

ctic

es

Acc

ou

nta

bil

ity

Compliance, Assurance, Audit


Step 1 – Ascertain applicable laws/standards

Determine if your organization needs to meet any laws or standards.• HIPPA• SOX• GLBA• Etc.

Determine if your organization is following any NIST/ISO Standards/Frameworks • ISO 27000 / ITIL• ISO 17799• COBIT• Etc.

• Determine specific requirements


Step 1 – Example HIPPA

Some areas which need to be addressed and documented would include:

Physical SecuritySystems should be located in physically secure locations, whenever possible.

Secure LocationsSecure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security.

Access Control SystemsAccess control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available.

Disaster Recovery…

Back-up Systems and Procedures Media Destruction and Recycling

Account Management and Access Review Emergency Access




Requirements


Step 2:Prepare Project Plan


Step 2 – Project Plan

Utilizing Microsoft Project design and maintain a feasible and detailed project plan.

Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met.




Requirements



Step 3:Gather Information & Identify Assets

Documentation Review

Interviews


Step 3 – Gather Information

Use tools, interviews and documentation review to analyze business risk profile.


Step 3 – Gather Information - Interviews



Step 3 – Gather Information - Software

Nessus

Secunia

Microsoft Baseline Security Analyzer (MBSA)


Step 3 – Gather Information – Documentation Review




Requirements




Step 4:Perform Risk Analysis


Interviews


Step 4 – Perform Risk Analysis

Risk is

the likelihood of the occurrence of a vulnerability

multiplied bythe value of the information asset

minus -

the percentage of risk mitigated by current controlsplus +

the uncertainty of the current knowledge of the vulnerability.


Step 1:System Characterization


Step 2:Threat Identification

Step 3:Vulnerability Identification

Step 4:Control Analysis

Step 6:Impact Analysis

Loss of CIA

Step 7:Risk Determination

HardwareSoftwareSystem InterfacesData & InformationPeopleSystem Mission

System BoundarySystem FunctionsSystems & Data CriticalitySystem & Data Sensitivity

History of system attacksOutside agency data

Threat Statement

Prior Risk AssessmentsPrior AuditsSecurity RequirementsSecurity Test Results

List of Potential Vulnerabilities

Current ControlsPlanned Controls

List of current & planned controls

Threat Source MotivationThreat CapacityNature of VulnerabilityCurrent Controls

Impact Rating

Mission impact analysisAsset criticality assessmentData criticalityData sensitivity

Impact Ratings

Likelihood of threat exploitationMagnitude of impactAdequacy of planned & Implemented controls

Risk & Associated Risk Levels

Step 5:Likelihood determination

Step 4 – Perform Risk Analysis (Quantitative)

Cost Basis Analysis (CBA)Annualized Cost of Safeguard (ACS)

CBA = ALE (prior) – ALE (Post) - ACS

Quantitative Approach (more detailed and longer time frame)

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE)

SLE x ARO = ALE


Step 4 – Perform Risk Analysis (Qualitative)

Qualitative Approach (Faster and Cheaper)

Low, Medium, High, Very HighAssign a degree to the asset then create a RISK Matrix Chart similar to sample shown.



At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.

Quantitative Qualitative




At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.

Identify Information Assets

Vulnerability Worksheet

Control StrategyAnd Plan

AccessControl

Implement Control

AdequateControls?

Plan forMaintenance

MeasureRisk to Asset

AdequateRisk?NO

NO

YES YES




Requirements





Step 5:Report Findings & Recommendations


Interviews


Step 5 – Report Findings and Recommendations




Requirements






Step 6:Prepare Implementation Plan


Interviews


Step 6 – Implementation Plan


Step 4 – Example of Patches and Vulnerabilities





Requirements






Step 6:Prepare Implementation Plan

Step 7:Continual Service Improvement


Interviews


Step 7: Continual Service Improvement


Some Examples….


Firewall Rules



Wi-Fi Site Analysis


Network Analysis



Documentation – MacAfee Epolicy Orchestrator



Patch / Change Management Report



Risk Assessment



Documentation Review / Audits



Documentation Work Area Recovery Recommendations



Documentation Business Impact Analysis (BIA)



Control Objective



Policy Document



Standards Document



We help you assemble your complete security solution


Presentation (2010)

Documents

Transcript of Presentation (2010)