Download - Information security for business majors
![Page 1: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/1.jpg)
Management of Technology BUS 656Information Security for Business
Paul Melson
Manager , Information Security
September 29, 2010
![Page 2: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/2.jpg)
OK, so how bad is it really?
• Since 2005, 510,544,441 personal records were exposed in 1,735 breaches.
• Every computer on the Internet is attacked an average of 4 times a day.
• In Q2 2010, Symantec wrote 457,641 new anti-virus signatures.
• Internet-based fraud set a new record in 2009, $560 million in losses to US companies.
2
![Page 3: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/3.jpg)
Are you scared? …or skeptical?
3
![Page 4: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/4.jpg)
The sky is always falling!
• Every network is under constant attack.
• The people that work for you make mistakes.
• If you have computers, data, or money your business is worth exploiting for hackers.
• The world continues to turn.
• The goal of security is to enable your business to survive the hostile environments in which we work and communicate.
4
![Page 5: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/5.jpg)
Information Security’s Business Value
• Compliance with laws and standards– Avoid fines and penalties
– Support the image of your business as trustworthy
• Fraud prevention and response– Avoid financial losses
– Minimize loss, improve recovery
• Data breach prevention and response– Avoid financial losses and damaged image
– Minimize impact and duration of the breach
5
![Page 6: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/6.jpg)
How Information Security Works
![Page 7: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/7.jpg)
The Goals of Security
• Confidentiality
• Integrity
• Availability
7
![Page 8: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/8.jpg)
Policy
• Policies are just rules and principles.
• Policies are useless if nobody reads them.
• A good security policy ties the desired outcomes (i.e. “mitigate risk,” “ensure compliance”) to high-level tactics (i.e. “password rotation,” “hard drive encryption”).
8
![Page 9: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/9.jpg)
Controls
• Preventive
• Auditing
• Monitoring
9
![Page 10: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/10.jpg)
Tools of The Trade - Preventive
• Firewall – Network filtering and monitoring device. Used to protect trusted systems from untrusted systems.
• Antivirus – Software that runs on a computer and scans files as they are saved or opened for patterns (“signatures”). Known “bad” files are deleted.
• IPS – Network “sniffing” device that sits on the network. Works like antivirus, but for network packets instead of files. Known “bad” traffic is dropped before it reaches sensitive systems.
10
![Page 11: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/11.jpg)
Tools of The Trade - Auditing
• Vulnerability Scanning – Software that scans addresses and ports on a network looking for known vulnerabilities and reports on them. Used to find weak spots before attackers do.
• Penetration Testing – Hiring specially skilled consultants to try and hack and “social engineer” their way into your systems from the outside to replicate a hacker attack.
11
![Page 12: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/12.jpg)
Tools of The Trade - Monitoring
• SIEM – Software that collects log data from multiple sources (firewall, IPS, servers, etc.) and correlates them looking for suspicious behavior or policy violations. Also used to investigate security incidents.
12
![Page 13: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/13.jpg)
Risk Management
• Risk management is what you do once you realize that you can’t do it all right now.
• Identify, Assess, Prioritize, Act
• Risk = Impact x Likelihood
• On prioritization:– Qualitative
– Quantitative
– Risk scoring mechanisms are only good at describing things relative to each other in the same environment, and they get better over time.
13
![Page 14: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/14.jpg)
Risk Management
• What can we do with risk?
– Avoidance
– Transference
– Mitigation
– Acceptance
14
![Page 15: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/15.jpg)
Incident Response
• You will have a very bad day.
• More than once
• Prepare, Identify, Contain, Recover, Learn
• Today, this is your best and only hope.
15
![Page 16: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/16.jpg)
Security Case Category: Malware
16
![Page 17: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/17.jpg)
Awareness & Consultation
• This is your chance to get ahead of the curve!
• Raising awareness gets you in the loop.
• Goodwill
• Executive Reporting
– Top Security Risks
– Risk Mitigation Plans
– “Big Deal” Events
– Relevant Trends in Metrics
17
![Page 18: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/18.jpg)
How IT Security Fails
![Page 19: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/19.jpg)
![Page 20: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/20.jpg)
![Page 21: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/21.jpg)
![Page 22: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/22.jpg)
You say “potato,” I say “No.”
• Security and compliance tactics are naturally risk-averse
• All successful businesses take calculated risks
• Clear direction from leadership on risk is key
22
![Page 23: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/23.jpg)
Communication
• TCP/IP, APT, AV, SIEM, NIDS, HIPS, ISO, COSO
Information Security has its own cryptic language.
• CPA, PAR, SOP, MCS, APR, APV, MBI, PEST
…and so do you.
• Mission statements and corporate values can become a Rosetta Stone
• Al$o, there’$ a $econd univer$al language
23
![Page 24: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/24.jpg)
Why Buying Security Fails
• In 1990, if you had a firewall with a default deny policy and were enforcing strong passwords, you were secure. By 1996, it didn’t matter anymore.
• In 2002, if you had a regimented security patch cycle for your servers and were scanning your network for known vulnerabilities, you were secure. By 2007, it didn’t matter anymore.
• In 2010, the pendulum hasn’t swung back yet.
24
![Page 25: Information security for business majors](https://reader034.vdocuments.site/reader034/viewer/2022050613/5a66e7427f8b9a68588b4707/html5/thumbnails/25.jpg)
Discussion