1 / 20

Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo

Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo. Gabriel Marcos Product Manager – Columbus Networks gmarcos@columbus-business.com @ jarvel. Una pelea desigual. POLÍTICAS CORPORATIVAS. PROYECTOS. PRESUPUESTO. DÍA A DÍA. RIESGOS CONOCIDOS.

lanai
Télécharger la présentation

Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks gmarcos@columbus-business.com @jarvel

  2. Una pelea desigual POLÍTICAS CORPORATIVAS PROYECTOS PRESUPUESTO DÍA A DÍA RIESGOS CONOCIDOS RIESGOS DESCONOCIDOS RIESGOS POTENCIALES HACKERS HACKERS

  3. Ejemplo: tareas de un administrador DNS Grupos Usuarios Dominios Perfiles Parches Clusters Load balancing IP address Documentación Manejo de inventario Licenciamiento Scripts Configuraciones Changemanagement Bases de conocimiento Email Training http://www.gfi.com/blog/20-tricky-sysadmin-tasks-and-how-to-approach-them/ Se enfoca en seguridad en su tiempo libre…

  4. Ejemplo: pandillas de cibercriminales • 6 personas - 5 años • 4.000.000 de afectados • 100 países • U$S 14 MM de ingresos http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911

  5. Una mirada al 2012 Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. Brazilianbankswere targets fordistributeddenial-of-serviceattacks, withmassiveassaultsagainst HSBC Brazil, Banco da Brasil, ItauUnibancoMultiplo SA and Banco Bradesco SA. HactiviststookcreditfortheDDoSspree. About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. http://features.techworld.com/security/3370489/worst-security-muddles-so-far-of-2012/

  6. Una mirada al 2012 BOTNET Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. HACTIVISMO Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. CONFIG ERROR At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. DDOS Brazilianbankswere targets fordistributeddenial-of-serviceattacks, withmassiveassaultsagainst HSBC Brazil, Banco da Brasil, ItauUnibancoMultiplo SA and Banco Bradesco SA. HactiviststookcreditfortheDDoSspree. EXTORSION PHISHING About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. http://features.techworld.com/security/3370489/worst-security-muddles-so-far-of-2012/

  7. Ejemplo: APT (AdvancedPersistentThreat) WebsenseThreatReport2012 The Year in Review for Threats

  8. La cruda realidad: En la mayoría de los casos, estamos indefensos y a merced de quien quiera realizar un mínimo esfuerzo para conseguir explotar una vulnerabilidad. Las medidas de seguridad que están implementadas en muchas organizaciones resultan insuficientes para entregar un nivel mínimo de seguridad.

  9. Enfoque de la gestión del riesgo: lo que dice el manual… Políticas de seguridad Organización de la información Administración de activos Recursos humanos Seguridad física y ambiental Seguridad de las operaciones Control de acceso Desarrollo y mantenimiento de sistemas Gestión de incidentes Continuidad del negocio Cumplimiento legal y regulatorio DO PLAN ACT CHECK

  10. …lo que pasa en realidad: • Falta de dirección • Hoy vs. Mañana. • Cumplimiento regulatorio. • ROI / TCO. • Tecnología vs servicio. • Falta de ejecución • Expectativas vs funcionalidad. • Servicio funcionando o garantizado? • Riesgo acotado? • Soluciones fáciles poco efectivas. DO PLAN • Falta de información • Qué tan efectivos son los controles? • Seguro que estamos atacando TODOS los problemas? • Dónde enfocar la solución? ENFOQUE OPERATIVO ACT CHECK

  11. Algunas ideas…

  12. Theenterprise of thefuture – Implicationsforthe CIO - IBM El enfoque operativo de seguridad es contrario a la generación de valor e innovación INNOVADOR BOMBERO

  13. Tendencias regulatorias El fin del anonimato?... …la justificación que necesitábamos?

  14. Consumerización(qué?!) Consumerization is the growing tendency for new information technology to emerge first in the consumer market and then spread into business and government organizations. http://en.wikipedia.org/wiki/Consumerization Es cada vez más difícil decirle “NO” al usuario The primary impact of consumerization is that it is forcing businesses, especially large enterprises, to rethink the way they procure and manage IT equipment and services. Historically, central IT organizations controlled the great majority of IT usage within their firms, choosing or at least approving of the systems and services that employees used. Consumerization enables alternative approaches. Today, employees and departments are becoming increasing self-sufficient in meeting their IT needs.

  15. Metodología • Identificar necesidades • Definir zonas de riesgo • Crear controles a medida • Monitorear globalmente • Procesos proactivos • Mejora continua

  16. Consumir vs. crear servicios de seguridad

  17. Seguridad en procesos de negocio HP Enterprise Security: Next-Generation Application Monitoring: Combining Application Security Monitoring and SIEM

  18. GRACIAS Gabriel Marcos Product Manager – Columbus Networks gmarcos@columbus-business.com @jarvel Quién tiene la primera pregunta?

More Related