information security course for executives
DESCRIPTION
Information Security Latest TrendsConvergence onto Security Platforms: Endpoint, Email security gateway, Web security gateway, and Next-generation firewallVirtualization: Virtualization of security controls will alter the information security landscape.Cloudification: How to enforce an enterprise security policy in the cloud age?Externalization: How to be open, social and encourage secure collaboration with external entities?Consumerization: Increasingly, employees want to use their consumer technology (systems and software) for business use.Operationalization: Need a strategy / R&D and an operational component to security. The strategy / R&D team needs to have time and resources to tackle the new and emerging threats.Application SecurityMethodology Threats, Attacks, Vulnerabilities, and CountermeasuresApplication Threats / AttacksMobile Application SecuritySecurity testing for applicationsSecurity standards and regulationsInformation Risk ManagementUnderstanding your riskMeasuring and quantifying your riskManaging your riskOptimizing expensesPresented by: Security Art Security Art is an information security and risk management consulting and advisory boutique. They use a multi-disciplinary approach with years of hands-on experience giving businesses the strategic path to address all their information security and risk management needs.TRANSCRIPT
Information Securityfor Executives
Free webinar
Iftach Ian Amit
Agenda• Latest Trends• Application Security• Risk Management
Latest Trends in Information Security
• Convergence• Virtualization• Cloudification• Externalization• Consumerization• Operationalization
Convergence• Endpoint (forget desktops...)• e-mail• Web• “next-gen” firewalls
Virtualization and Cloudification
Externalization• Are you on LinkedIn?• Facebook?• Are your customers?• Partners?• Competitors?
Consumerization
Operationalization
Agenda• Latest Trends• Application Security• Risk Management
Application Security• Methodology• Threats, attacks, exposure surface• Application threats• Mobile• Testing• Regulation/Compliance?
Methodology
“If you have an application with more than a single purpose interface, you are most likely to have a vulnerability in it”
[wise-old-sage]
This is why we have such a high success rate in pen-
tests...
Threats, Attacks and Exposure Surface
• Extreme coverage over the past 10 years• Not a lot of solutions– That you can “buy and forget”
• Back to the human factor–Which is harder to fix...
Application Threats• XSS• CSRF• SQL Injection• Parameter tampering• Session hijacking
Mobile“And now, make everything work on my
iPhone...” [management]
“And now, I have a chance to repeat every mistake again for this new platform”
[development]
Testing• Security never really fit into your QA
schedule didn’t it?
• Can you really think like the bad guys? Do you want to?
Regulation• That’s an easy one:
– Pay to get certified, right?
• It doesn’t really feel that much better now...
–Maybe we should get things fixed for real
– ...and still get certified
Agenda• Latest Trends• Application Security• Risk Management
Risk Management• What is your risk?• Measure, Quantify!• Manage• Optimize expenses
Identifying your Risks• What are the bad guys after?
• Simple...
Measuring Risk
From:“So, we pinpointed the one line of code
that caused this thing to fail...”
To:“This issue will cost us $1500 for every
time someone exploits it”
How to Measure?• Identify your (information) assets• Identify the threats for each asset– And their capability– And the controls that are in place to protect the
vulnerabilities– And their frequency
• Derive a loss event frequency• Estimate the loss magnitude
Managing Risk
Guesswhichone
is it???
Optimize• When done right, this can save you money:
– More focused measures to protect assets at risk
– Less vendor bloat
– Less external services required
– Improved development cycles
Don’t re-invent the wheel…
Use tried and tested methodologies and practices
All rights reserved to Security Art Ltd 2002 - 2009
FAIR (Factor Analysis of Information Risk)
