Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer
Primer for Information Security Programs
-
Upload
richard-greenberg-cissp -
Category
Technology
-
view
63 -
download
0
Transcript of Primer for Information Security Programs
![Page 1: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/1.jpg)
PRIMER FOR INFOSEC PROGRAMS
Richard Greenberg, CISSP ISSA Fellow
President, ISSA Los Angeles, www.issa-la.org President, OWASP Los Angeles, www.owaspla.org
LinkedIn: http://www.linkedin.com/in/richardagreenberg
![Page 2: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/2.jpg)
CURRENT STATE OF AFFAIRS Breaches are Occurring Everywhere in Every Industry Phishing Attacks are Multiplying and are Now the
Preferred Method of Infiltration Ransomware is growing as a targeted attack It is Difficult to Secure Application Development
Environments Breaches Are Not Discovered for 6-9 Months
• Often Discovered by External Source
![Page 3: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/3.jpg)
RECENT BREACHES Anthem: 78.8 million records Target: 42 million people’s credit or debit information stolen;
banks file class-action lawsuit against Target Home Depot: estimated 56 million credit and debit card
numbers JPMorgan: 76 million households and 7 million small
businesses Carbanak: $1 billion stolen from more than 100 banks in 30
countries AdultFriendFinder.com 3.9 million users' personal details and
sexual preferences
![Page 4: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/4.jpg)
DATA BREACH COSTS Average Cost of a Data Breach in US Averages
$6.5 million, highest in the world One estimate of the cost to Home Depot is $10
billion by 2020 Cost in Health Care Organizations Could be as
much as $363 Per Record
![Page 5: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/5.jpg)
THE TIMES THEY ARE A CHANGIN’
Every Business is Now a Target Every Medical Device Could be a Target Every Car Could be a Target Every Refrigerator Could be a Target Every Drone Could be an Attacker
![Page 6: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/6.jpg)
AWARENESS OF SECURITY SEEMS TO BE EVERYWHERE!
Boardrooms Now Have Security on their Agendas 80% of the Time
Breaches are a Weekly News Item on Mainstream Media
Cousins Call Us for Advice or to Ask What We Think of the Latest Attack
Congress is Talking About Security
![Page 7: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/7.jpg)
WHAT THE $%#%^%&*? Old Vulnerabilities Are Still Everywhere
• SQL Injection (in the OWASP Top 10 in 2007 and still there!) • 44%of known breaches in 2014 came from vulnerabilities
that were between two and four years old1 Patching is Still Problematic Change Management is not Happening Configuration Management is Not Happening Our Mission Critical Information is Not Encrypted 1 HP 2015 Cyber Risk Report
![Page 8: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/8.jpg)
OUR WORKFORCE HAS GONE PHISHING!
Click That Link! Open That Attachment! Open That Email From the Unknown Sender Respond to that “Too Good to be True” Email
Scam! Forward that Funny Attachment to Everyone! We Love Port 80!!
![Page 9: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/9.jpg)
WHAT’S A GOOD SECURITY LEADER TO DO?!
Go on Tour • Security Awareness Training for Everyone • Address Your Companies Vulnerability Trends • Gamify Your Training • Provide Incentives and Prizes • Please, No Death by PowerPoint
Speak at Division Meetings Speak at General Staff Meetings
![Page 10: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/10.jpg)
MEET WITH KEY PLAYERS Lunch with all Executives Meet Regularly With:
• CTO or Head of System Admins • Division Heads • Legal • Risk Compliance
Learn to Talk “Businessese”
![Page 11: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/11.jpg)
CREATE AND ENFORCE POLICIES, STANDARDS, AND PROCEDURES
Ensure Standard Image is Created • Is Regularly Updated • Is Regularly Tested • Deployed Everywhere-Especially on Admin
Systems No one Should Be Regularly Logged in with Admin
Privileges Have a Plan and Procedures for Securing Portable
Devices and BYOD
![Page 12: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/12.jpg)
BAKE SECURITY INTO THE SDLC Embrace and Befriend the Head of Application
Development Utilize Static/Dynamic Web App Vulnerability
Scanners Have All Staff in AppDev Take Secure Coding
Training All Project Proposals Must be Reviewed by InfoSec Work with the PMO
![Page 13: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/13.jpg)
SECURE YOUR PHYSICAL ENVIRONMENT
Does Your Facilities Head Purchase Physical Security Solutions Without InfoSec Involvement or Knowledge?
Are Your Physical Security Access Cards Waaay too Easy to Hack? Most Are!
Do You Know Who Has Access to Your Data Center? Are You Sure?
Can People Leave Your Buildings Carrying Anything They Want?
![Page 14: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/14.jpg)
MONITOR SYSTEMS REGULARLY Are You Able to Detect Anomalies on Your
Networks? Do You Know if You Have Been Compromised?
Probably Not! Would You be able to Detect Strange Outbound
Traffic to, Let’s Say, China or North Korea? Monitor Unusual Changes in User Behavior Do You Know if 50 Users All Had Their Accounts
Locked After Unsuccessful Login Attempts?
![Page 15: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/15.jpg)
CREATE AND REVIEW REPORTS
Create Remediation Plans After Reviewing Network Vulnerability Scans
Compare Reports From Various Tools: Patch Management, Vulnerability Scanning, Anti-Malware
Follow-up on Remediation Efforts Rescan and Review Reports Look for Patterns in Incidents in Your HelpDesk
Database
![Page 16: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/16.jpg)
ENFORCE ACCESS MANAGEMENT STANDARDS
Work With HR to Establish Provisioning/ Deprovisioning Procedures
Enforce Process to Approve and Grant Access to Systems
Enforce Deprovisioning Procedures Periodically Audit Systems Access Two Factors Required for all Admin Access to Mission
Critical Systems
![Page 17: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/17.jpg)
NETWORK AND COLLABORATE Attend Networking Events Make New Contacts Share War Stories and Solutions Join ISSA, OWASP, ISACA, CSA, HTCIA, etc. Form New Groups Look for Meetups Leave Here Today With at Least 5 New Contacts;
Follow-up with them
![Page 18: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/18.jpg)
KEEP LEARNING
Webcasts Classes Podcasts Books LinkedIn and Twitter Links Blogs Networking Events and Conferences
![Page 19: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/19.jpg)
HELP PREPARE THE NEXT GENERATION OF SECURITY LEADERS
Hire Students Train and Mentor Your Staff Speak at Schools Support Cyber Competitions Help Schools With their Curriculum Teach Security at Schools
![Page 20: Primer for Information Security Programs](https://reader034.fdocuments.us/reader034/viewer/2022051521/587886431a28ab466c8b7231/html5/thumbnails/20.jpg)
THANK YOU!
Stay Safe
Stay Hungry for Knowledge
Believe in Yourself
Live Long and Prosper!