presentation (2010)

______ Security Solutions

Sorry Image Redacted for Privacy

Security

• Overview: What is security?

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Presented by. Peleg Holzmann, CISSP

______ & Security• ______

To ....

Overview: Gain Security Awareness

When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security.

______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization.

A few questions

1. What is your corporate vision for security?

2. Where are you today?

3. Where do you want to be?

4. How do we get there?

5. Did we get there?

6. How do we keep the momentum going?

One Answer

We can help you answer all these questions!

CIA Triangle

Risk is

the likelihood of the occurrence of a vulnerability

multiplied bythe value of the information asset

minus -

the percentage of risk mitigated by current controlsplus +

the uncertainty of the current knowledge of the vulnerability.

$25,000

Threat

Layered Approach – Defense in Depth

Information Authorized Personnel

Technology People

RedundancyMonitoring Systems

Patches &Updates

Host IDS

Firewalls

Network IDS

Network IPS

Proxy Servers

Encryption

Backups

Access Controls

Policies and Laws

Internet

Networks

Systems

People

Education and Training

Security Planning(IR, DR, BC)

Security Awareness

Awareness Training Education

Attribute “What” “How” “Why”

Level Information Knowledge Insight

Teaching Method Media-Videos-Newsletters-Posters, etc.

Practical Instruction-Lecture-Case study workshop-Hands on practice

Theoretical Instruction-Discussion seminar-Background reading

Test Measure True/FalseMultiple Choice

(Identify Learning)

Problem solving(Apply Learning)

Essay(Interpret Learning)

Impact Time Frame

Short Term Intermediate Long Term

Continual Service Improvement

Typical Information Security Audit Procedure

Step 1:Ascertain Applicable Laws

Requirements

Step 1.1:NIST/ISO Security Standards

Requirements Continued

Information Security

Information Security Management System

Standards / Frameworks (ISO 27000)

Compliance, Assurance, Audit

Step 1 – Ascertain applicable laws/standards

Determine if your organization needs to meet any laws or standards.• HIPPA• SOX• GLBA• Etc.

Determine if your organization is following any NIST/ISO Standards/Frameworks • ISO 27000 / ITIL• ISO 17799• COBIT• Etc.

• Determine specific requirements

Step 1 – Example HIPPA

Some areas which need to be addressed and documented would include:

Physical SecuritySystems should be located in physically secure locations, whenever possible.

Secure LocationsSecure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security.

Access Control SystemsAccess control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available.

Disaster Recovery…

Back-up Systems and Procedures Media Destruction and Recycling

Account Management and Access Review Emergency Access

Requirements

Step 2:Prepare Project Plan

Step 2 – Project Plan

Utilizing Microsoft Project design and maintain a feasible and detailed project plan.

Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met.

Requirements

Step 3:Gather Information & Identify Assets

Documentation Review

Interviews

Step 3 – Gather Information

Use tools, interviews and documentation review to analyze business risk profile.

Step 3 – Gather Information - Interviews

Step 3 – Gather Information - Software

Nessus

Secunia

Microsoft Baseline Security Analyzer (MBSA)

Step 3 – Gather Information – Documentation Review

Requirements

Step 4:Perform Risk Analysis

Interviews

Step 4 – Perform Risk Analysis

Risk is

the likelihood of the occurrence of a vulnerability

multiplied bythe value of the information asset

minus -

the percentage of risk mitigated by current controlsplus +

the uncertainty of the current knowledge of the vulnerability.

Step 1:System Characterization

Step 2:Threat Identification

Step 3:Vulnerability Identification

Step 4:Control Analysis

Step 6:Impact Analysis

Loss of CIA

Step 7:Risk Determination

HardwareSoftwareSystem InterfacesData & InformationPeopleSystem Mission

System BoundarySystem FunctionsSystems & Data CriticalitySystem & Data Sensitivity

History of system attacksOutside agency data

Threat Statement

Prior Risk AssessmentsPrior AuditsSecurity RequirementsSecurity Test Results

List of Potential Vulnerabilities

Current ControlsPlanned Controls

List of current & planned controls

Threat Source MotivationThreat CapacityNature of VulnerabilityCurrent Controls

Impact Rating

Mission impact analysisAsset criticality assessmentData criticalityData sensitivity

Impact Ratings

Likelihood of threat exploitationMagnitude of impactAdequacy of planned & Implemented controls

Risk & Associated Risk Levels

Step 5:Likelihood determination

Step 4 – Perform Risk Analysis (Quantitative)

Cost Basis Analysis (CBA)Annualized Cost of Safeguard (ACS)

CBA = ALE (prior) – ALE (Post) - ACS

Quantitative Approach (more detailed and longer time frame)

Single Loss Expectancy (SLE)

Annualized Rate of Occurrence (ARO)

Annualized Loss Expectancy (ALE)

SLE x ARO = ALE

Step 4 – Perform Risk Analysis (Qualitative)

Qualitative Approach (Faster and Cheaper)

Low, Medium, High, Very HighAssign a degree to the asset then create a RISK Matrix Chart similar to sample shown.

At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.

Quantitative Qualitative

At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.

Identify Information Assets

Vulnerability Worksheet

Control StrategyAnd Plan

AccessControl

Implement Control

AdequateControls?

Plan forMaintenance

MeasureRisk to Asset

AdequateRisk?NO

YES YES

Requirements

Step 5:Report Findings & Recommendations

Interviews

Step 5 – Report Findings and Recommendations

Requirements

Step 6:Prepare Implementation Plan

Interviews

Step 6 – Implementation Plan

Step 4 – Example of Patches and Vulnerabilities

Requirements

Step 6:Prepare Implementation Plan

Step 7:Continual Service Improvement

Interviews

Step 7: Continual Service Improvement

Some Examples….

Firewall Rules

Wi-Fi Site Analysis

Network Analysis

Documentation – MacAfee Epolicy Orchestrator

Patch / Change Management Report

Risk Assessment

Documentation Review / Audits

Documentation Work Area Recovery Recommendations

Documentation Business Impact Analysis (BIA)

Control Objective

Policy Document

Standards Document

We help you assemble your complete security solution

presentation (2010)

peleg holzmann

areas of information

information security

security overview

security solutions

security awarenesspresented

nistiso security standardsstep

information systems

Documents

qh 2010 presentation

presentation november 2010

q1 2010 shareholder presentation may 2010

ahrd presentation 2010

mosaic presentation 2010

ita presentation 2010

2010 presentation

fsc presentation 2010

superconference presentation - 2010

business presentation 2010

preliminary results 2009/2010 - presentation€¦ ·...

2010 awards presentation

presentation 2010

presentation 2010 updated may 8 2010

company presentation april 2010 company presentation april...

apm presentation 2010

misc 2010 presentation

iclc 2010 presentation

2010 strategy presentation: 2 march 2010 tony hayward...

horizons presentation 2010