Download - Information Security Course for Executives
Information Securityfor Executives
Free webinar
Iftach Ian Amit
Agenda• Latest Trends• Application Security• Risk Management
Latest Trends in Information Security
• Convergence• Virtualization• Cloudification• Externalization• Consumerization• Operationalization
Convergence• Endpoint (forget desktops...)• e-mail• Web• “next-gen” firewalls
Virtualization and Cloudification
Externalization• Are you on LinkedIn?• Facebook?• Are your customers?• Partners?• Competitors?
Consumerization
Operationalization
Agenda• Latest Trends• Application Security• Risk Management
Application Security• Methodology• Threats, attacks, exposure surface• Application threats• Mobile• Testing• Regulation/Compliance?
Methodology
“If you have an application with more than a single purpose interface, you are most likely to have a vulnerability in it”
[wise-old-sage]
This is why we have such a high success rate in pen-
tests...
Threats, Attacks and Exposure Surface
• Extreme coverage over the past 10 years• Not a lot of solutions– That you can “buy and forget”
• Back to the human factor–Which is harder to fix...
Application Threats• XSS• CSRF• SQL Injection• Parameter tampering• Session hijacking
Mobile“And now, make everything work on my
iPhone...” [management]
“And now, I have a chance to repeat every mistake again for this new platform”
[development]
Testing• Security never really fit into your QA
schedule didn’t it?
• Can you really think like the bad guys? Do you want to?
Regulation• That’s an easy one:
– Pay to get certified, right?
• It doesn’t really feel that much better now...
–Maybe we should get things fixed for real
– ...and still get certified
Agenda• Latest Trends• Application Security• Risk Management
Risk Management• What is your risk?• Measure, Quantify!• Manage• Optimize expenses
Identifying your Risks• What are the bad guys after?
• Simple...
Measuring Risk
From:“So, we pinpointed the one line of code
that caused this thing to fail...”
To:“This issue will cost us $1500 for every
time someone exploits it”
How to Measure?• Identify your (information) assets• Identify the threats for each asset– And their capability– And the controls that are in place to protect the
vulnerabilities– And their frequency
• Derive a loss event frequency• Estimate the loss magnitude
Managing Risk
Guesswhichone
is it???
Optimize• When done right, this can save you money:
– More focused measures to protect assets at risk
– Less vendor bloat
– Less external services required
– Improved development cycles
Don’t re-invent the wheel…
Use tried and tested methodologies and practices
All rights reserved to Security Art Ltd 2002 - 2009
FAIR (Factor Analysis of Information Risk)
