1 / 40

“Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective” November 17, 20

“Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective” November 17, 2005 . eWorkshop Purpose. To demystify the process of protecting your company’s information. Our presenter will cover. Types of information to protect Types of attackers

hideaki
Télécharger la présentation

“Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective” November 17, 20

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Information Security For Your Company: Its Risks, Tradeoffs, and Solutions A Management Perspective”November 17, 2005

  2. eWorkshop Purpose To demystify the process of protecting your company’s information

  3. Our presenter will cover • Types of information to protect • Types of attackers • Exposure • Defenses • Examples

  4. Lois WebsterCEO

  5. This workshop is sponsored by Jones International University www.jiu.edu

  6. Jones International University offers an online MBA in Information Security Management For more information go to www.jiu.edu or call 866.246.0368 to speak with an Admissions Counselor.

  7. This Webcast is hosted by • www.meetingone.com

  8. How ask a question:

  9. Maura van der Linden Software Development Engineer in Test Microsoft Corporation

  10. Understanding Information Security Tradeoffs:A Management Perspective Written by:Maura van der Linden (maura@mauravanderlinden.com) Brought to you by: Jones International University MBA with Information Security Management (www.jiu.edu/learnshare) © 2005 Jones International University

  11. Convey a basic understanding of the Information Security Equation and its five variables. Provide an overview of the process of Threat Analysis. Demonstrate the iterative and ongoing nature of Information Security. Illustrate the Threat Analysis and Mitigation process with several real life samples of the tradeoffs made to minimize or remove Information Security threats. Presentation Goals © 2005 Jones International University

  12. Information Security Equation Threat Analyses Threat Mitigation and Re-Evaluation Response and Contingency Planning Security Champions Security Reviews Key Information SecurityConcepts © 2005 Jones International University

  13. Information Collection Storage Replication Intruders / Attackers Sources Motivations Exposure Defenses Responses Information Security EquationVariables © 2005 Jones International University

  14. What do you think are the biggest risks to your company? 1 = Email Viruses 2 = Directed Hacking Attacks 3 = Opportunistic Hacking Attacks 4 = Internal Theft / Misuse Poll Question #1 © 2005 Jones International University

  15. Examples: Internet Orders or Submissions Paper Orders Employee Hiring Paperwork Point-of-Sale Systems Telephone Ordering Systems 3rd Party Data Forwarding Information Aspect 1:Collection © 2005 Jones International University

  16. Business Data Examples: HR Data Emails Intranet Documents Financial Data Payroll Data Intellectual Property Partner/Vendor/ Supplier Data Customer Data Examples: Personal Data (Identifying Information) Credit Card Data Order History Financial Data Medical Data Information Aspect 2:Storage © 2005 Jones International University

  17. Examples: Live Databases Test Databases 3rd Party Forwarding Backups Log Files Printouts Paper Files / Copies Information Aspect 3:Replication © 2005 Jones International University

  18. Internal Source Examples: Current Employees Contracting Companies Vendors / Sub-Contractors External Source Examples: Ex-Employees Protesters / Idealists Professional Hackers Competitors Cyber-Vandals Intruders / Attackers Aspect 1:Sources © 2005 Jones International University

  19. Examples: Data Theft Data Destruction Cyber-Vandalism / Nuisance Coup Counters Intruders / Attackers Aspect 2:Motivations © 2005 Jones International University

  20. Internal Examples: Employees Locations Intranet Contractors External Examples: Internet Partners Vendors / Contractors Customers Exposure © 2005 Jones International University

  21. Examples: Commercial Software Defenses Commercial Hardware Defenses In-House / Custom Defenses Physical Defenses Policy Defenses Defenses © 2005 Jones International University

  22. Examples: Intrusion Detection Plan Data Recovery Plan Data Restoration Web Site Restoration Customer Notification Responses © 2005 Jones International University

  23. How many of you have defenses and a response plan in place already? 1 = Both are in place and updated. 2 = Both are in place but are out of date. 3 = Defenses are in place but no response plan. 4 = No formal plan for either Poll Question #2 © 2005 Jones International University

  24. Examples: How much harm can be done? How easy is it to perform? How well known is it? How hard or expensive will it be to recover? How many customers will it affect? Threat Modeling Aspects © 2005 Jones International University

  25. Example Questions: What is the threat rating (severity)? What mitigations are available? What do those mitigations cost vs. how well they mitigate the threat? Is the convenience worth the risk? How will the mitigation be enforced? Are there additional legal or regulatory issues if the threat is carried out? Threat Analysis & Mitigation Process © 2005 Jones International University

  26. High mitigation = high cost. Mitigation solutions must be custom or customized. Obscurity = security at very low cost. All mitigations are high tech. Hackers are isolated and tend to work alone. Common Misconceptionsof Tradeoffs © 2005 Jones International University

  27. After each mitigation is developed, the threat must be reviewed again. Revisit the threat rating. Identify any other threats that might be affected – beneficially or adversely – by a mitigation designed for another threat. Don’t neglect easily mitigated threats that do not have the highest threat ratings. Take Incremental Steps © 2005 Jones International University

  28. Convenience of multiple places to find the same data vs having to secure every place that data is stored. Ease of referencing plain text data instead of encrypted data vs. the risk that if the data is stolen, it’s easy and ready to use. Ability for any employee to solve problems for customers vs. the risk of all employees having the ability to steal customer data or misuse it. Samples of Common Tradeoffs © 2005 Jones International University

  29. Cost of buying commercial security software for every workstation vs. the risk of even one incident of a virus shutting down the business’ intranet. Employee morale and freedom of being able to open and read any email at work plus the expense of setting up and enforcing email attachment policies vs. risk of virus attack revealing confidential business information. More Samples of Common Tradeoffs © 2005 Jones International University

  30. Situation: A medical supply company keeps customer information in their permanent database and indexes the information by social security number. The database is accessible from the internet so customers can look up their own information. Mitigation: The risk of exposing the customers’ social security numbers along with their associated personal information on an internet-facing database is mitigated by the company switching to a random customer number and removing the social security number from their data storage. Tradeoffs: The convenience of having the social security number as a built-in index is traded for a Customer ID that means the records have to be retrieved by number or email address and password. A mailing had to be done to customers to inform them of why the change was being made and how to now access their information. Sample Situation #1 © 2005 Jones International University

  31. Situation: An online shopping business was allowing their customers to store credit card information, including the three digit code, in order to provide the convenience of not having to enter their credit card information each time they placed an order. Mitigation: The risk of both exposing credit card information in this internet-facing shopping system as well as the risk of a third party being able to charge items to the saved information was too high so the credit card information was removed from the customer database and the users now have to enter the credit card information for each purpose. Tradeoffs: The convenience of having the credit card information already entered and available was traded for the security of not having credit card information vulnerable to theft of misuse. Information on the reason for the change was posted to the shopping checkout page and customer response was quite positive, especially in the wake of a highly publicized credit card information theft. Sample Situation #2 © 2005 Jones International University

  32. Situation: A financial investment company which develops and utilizes in-house software for account maintenance has a test database for use by their contract testers but the test database is actually a copy of the live customer database and contains all the information that exists in the live database. In order to make it easier for the testers, the database administrator password has been set to <blank>. Mitigation: The previously overlooked risk of having live data in an easy to access place was considered too high so an application was written to simulate live transactions and used to build a dummy database for test to use. Because the database now contained NO real data, the administrator password was left as <blank> . Tradeoffs: The perfect replication of live customer data was traded for a very realistic set of dummy data without the risk of data theft. There was an additional benefit because the tool designed to create the test database was able to be used by other parts of the test effort. Sample Situation #3 © 2005 Jones International University

  33. How is your Information Security currently being managed? 1 = One person is in charge of it as a main job function and may or may not have a team working under them. 2 = One person is in charge of it as a secondary or lesser task. 3 = A team of people are in charge of it but are not coordinated by a single individual. 4 = It’s outsourced to another company 5 = It’s not being managed Poll Question #3 © 2005 Jones International University

  34. Centrally responsible for security efforts. Single point of coordination for response plans and materials. Disseminates knowledge and information as changes are made in business practices and policies. Keeps up to date on software patches, vulnerabilities and versions. Presents threat analyses and mitigation plans and proposals to management. Conducts and enforces security review standards and schedules. Role of the Security Champion © 2005 Jones International University

  35. Pro: Considerable knowledge and training that is generally kept up to date. Can be less expensive to use in circumstances where risks are fairly low and are not overly prone to frequent or rapid changes. Can provide a second set of eyes for in-house plans or for vulnerability assessment. Con: May not understand the customer’s business so making an accurate determination of the tradeoff viabilities may be difficult. May be difficult to communicate the full impact of analyses and proposed changes. More difficult to use for ongoing changes or revisions. External Security Consultants © 2005 Jones International University

  36. Businesses change over time. Threats and vulnerabilities change over time. Attack vectors and techniques change over time. Laws and legal precedents change over time. Continuing Efforts are Key © 2005 Jones International University

  37. How ask a question:

  38. To access presentation materials Go to www.LearnShare.com Best Practice Events eWorkshops “Information Security For Your Company: It’s Risks, Tradeoffs, and Solutions – A Management Perspective”

  39. Thanks! Evaluation by email

More Related