1 / 44

Security Risk Management

Security Risk Management . Eduardo Rivadeneira IT pro Microsoft Mexico. Session Prerequisites. Hands-on experience installing, configuring, administering, and planning the deployment of Windows 2000 Server or Windows Server 2003 Knowledge of Active Directory and Group Policy concepts.

colman
Télécharger la présentation

Security Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Risk Management Eduardo Rivadeneira IT pro Microsoft Mexico

  2. Session Prerequisites • Hands-on experience installing, configuring, administering, and planning the deployment of Windows 2000 Server or Windows Server 2003 • Knowledge of Active Directory and Group Policy concepts Level 200

  3. Agenda • Dia 1 • Comunidades Technet Mexico • Entrenamiento Comunidades Mexico • Essentials of Security Parte 1 • Dia 2 • Essentials of Security Parte 2 • Security Risk Management Parte 1 • Dia 3 • Security Risk Managemnt Parte 2 • Peguntas y Respuestas

  4. Comunidades Technet Mexico Dia 1

  5. Comunidades en Mexico On Line • http://groups.msn.com/itpromexico Presénciales • Comunidad DF • IT Pro Mexico • Aida Lara • alora@hubbell.com.mx • Victor Guadarrama Olivares • vmgo@mvps.org • http://itpromexico.com.mx

  6. Comunidades • Comunidad Monterrey • Carlos Alberto Morales cmorales@madisa.com • Astrid Rodríguez Garza Vrodriguez@mail.risoul.com.mx http://groups.msn.com/itpromonterrey • Comunidad San Quintín Baja California • Genaro N. Lopez Norori gnlopez@hotmail.com • http://groups.msn.com/ITproSanQuintin

  7. Comunidades • Comunidad Guadalajara • Oscar T. Aceves Dávalos • itan040@hotmail.com • http://groups.msn.com/itprogdl • Comunidad Coatzacoalcos • Gabriel Castillo • jcastillo@celanese.com.mx • http://groups.msn.com/ITcoatzacoalcos

  8. Comunidades • Tijuana • Andree Ochoa • andreeochoa@netscape.net • http://groups.msn.com/itprotijuana • Puebla • Jorge Garcia • MasterFx@masterfx.net • http://groups.msn.com/ITICOPuebla

  9. Procedimientos Comunidades • Evento presencial • Enviar la información de las reuniones del siguiente mes Lugar, fecha, hora, descripción del evento, lugar del evento • Confirmar que el evento este dado de alta en http://wwww.microsoft.com/mexico/eventos • Todos los participantes deberán registrarse vía Web en el evento y entregar su registro con el código de barra el dia del evento • El instructor deberá recolectar las evaluaciones y hojas de registro para entregárselas al director del área

  10. Essentials of Security Dia 1

  11. Business Case • Business Case • Security Risk Management Discipline • Defense in Depth • Security Incident Response • Best Practices • 10 Immutable Laws of Security

  12. Loss of Revenue Damage to Reputation Damage to Investor Confidence Loss or Compromise of Data Damage to Customer Confidence Interruption of Business Processes Legal Consequences Impact of Security Breaches

  13. 2003 CSI/FBI Survey The cost of implementing security measures is not trivial; however, it is a fraction of the cost of mitigating security compromises

  14. Benefits of Investing in Security Reduced downtime and costs associated with non-availability of systems and applications Reduced labor costs associated with inefficient security update deployment Reduced data loss due to viruses or information security breaches Increased protection of intellectual property

  15. Security Risk Management Discipline • Business Case • Security Risk Management Discipline • Defense in Depth • Security Incident Response • Best Practices • 10 Immutable Laws of Security

  16. Security Risk Management Discipline (SRMD) Processes • Assessment • Assess and valuate assets • Identify security risks and threats • Analyze and prioritize security risks • Security risk tracking, planning, and scheduling • Development and Implementation • Develop security remediation • Test security remediation • Capture security knowledge • Operation • Reassess assets and security risks • Stabilize and deploy new or changed countermeasures

  17. Assessment: Assess and Valuate Assets Asset Priorities (Scale of 1 to 10) – Example * * For example purposes only – not prescriptive guidance

  18. Assessment: Identify Security Risks and Threats – STRIDE

  19. Assessment: Analyze and Prioritize Security Risks – DREAD Example Worksheet • DREAD • Damage • Reproducibility • Exploitability • Affected Users • Discoverability • Risk Exposure = Asset Priority x Threat Rank

  20. Assessment: Security Risk Tracking, Planning, and Scheduling Detailed Security Action Plans Example Worksheets

  21. Configuration management Detailed Security Action Plans Patch management System monitoring System auditing Operational policies Operational procedures Development and Implementation Security Remediation Strategy Testing Lab Production Environment Knowledge Documented for Future Use

  22. Operation: Reassess Assets and Security Risks • Reassess risks when there is a significant change in assets, operation, or structure • Assess risks continually Production Environment Documented Knowledge New Web Site Internet Services Testing Lab

  23. Production Environment Operation: Stabilize and Deploy New or Changed Countermeasures System Administration Team New or Changed Countermeasures Security Administration Team Network Administration Team

  24. Defense in Depth • Business Case • Security Risk Management Discipline • Defense in Depth • Security Incident Response • Best Practices • 10 Immutable Laws of Security

  25. The Defense-in-Depth Model Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security Data ACLs, encryption, EFS Application Application hardening, antivirus OS hardening, authentication, patch management, HIDS Host Internal Network Network segments, IPSec, NIDS Firewalls, Network Access Quarantine Control Perimeter Guards, locks, tracking devices Security documents, user education

  26. I think I will wedge the computer room door open. Much easier. Hey, I need to configure a firewall. Which ports should I block? They have blocked my favorite Web site. Lucky I have a modem. I think I will use my first name as a password. Description of the Policies, Procedures, and Awareness Layer

  27. Say, I run a network too. How do you configure your firewalls? Hi, do you know where the computer room is? I can never think of a good password. What do you use? Hey, nice modem. What's the number of that line? Policies, Procedures, and Awareness Layer Compromise

  28. Policies, Procedures, and Awareness Layer Protection Employee security training helps users support thesecurity policy Firewall ConfigurationProcedure Physical Access Security Policy Device Request Procedure User Information Secrecy Policy

  29. Description of the Physical Security Layer All of the assets within an organization’s IT infrastructure must be physically secured

  30. View, Change, or Remove Files Damage Hardware Remove Hardware Install Malicious Code Physical Security Layer Compromise

  31. Lock doors and install alarms Employ security personnel Enforce access procedures Monitor access Limit data input devices Use remote access tools to enhance security Physical Security Layer Protection

  32. Business Partner Main Office LAN LAN Internet Internet Services Internet Services Network perimeters can include connections to: Branch Office • The Internet • Branch offices • Business partners • Remote users • Wireless networks • Internet applications Remote User Wireless Network LAN Description of the Perimeter Layer

  33. Business Partner Main Office LAN LAN Internet Internet Services Internet Services Network perimeter compromise may result in a successful: Branch Office • Attack on corporate network • Attack on remote users • Attack from business partners • Attack from a branch office • Attack on Internet services • Attack from the Internet Remote User Wireless Network LAN Perimeter Layer Compromise

  34. Business Partner Main Office LAN LAN Internet Internet Services Internet Services Network perimeter protection includes: Branch Office • Firewalls • Blocking communication ports • Port and IP address translation • Virtual private networks (VPNs) • Tunneling protocols • VPN quarantine Remote User Wireless Network LAN Perimeter Layer Protection

  35. Sales Wireless Network Marketing Human Resources Finance Description of the Internal Network Layer

  36. Unexpected Communication Ports Unauthorized Access to Systems Unauthorized Access to Wireless Networks Sniff Packets from the Network Access All Network Traffic Internal Network Layer Compromise

  37. Internal Network Layer Protection Require mutual authentication Segment the network Encrypt network communications Restrict traffic even when it is segmented Sign network packets Implement IPSec port filters to restrict traffic to servers

  38. Demonstration 1: Configuring IPSec Port Filtering Your instructor will demonstrate how to: • Create and configure an IP Security policy that contains IPSec port filters that will be used to lock down unnecessary ports on an IIS server • View IPSec port filter properties

  39. Description of the Host Layer • Contains individual computer systems on the network • Often have specific roles or functions • The term “host” is used to refer to both clients and servers

  40. Exploit Unsecured Operating System Configuration Unmonitored Access Host Layer Compromise Exploit Operating System Weakness Distribute Viruses

  41. Host Layer Protection Harden client and server operating systems Disable unnecessary services Monitor and audit access and attempted access Install and maintain antivirus software Use firewalls Keep security patches and service packs up to date

  42. Windows XP SP2 Advanced Security Technologies • Network protection • Memory protection • Safer e-mail handling • More secure browsing • Improved computer maintenance • Get more information on Windows XP Service Pack 2at http://www.microsoft.com/sp2preview

  43. Demonstration 2: Overview of Windows XP SP2 Your instructor will demonstrate the new and enhanced security features in Windows XP SP2: • Security Center • Windows Firewall • Internet Explorer

  44. Preguntas • http://groups.msn.com/itpromexico • Sección de webcast

More Related