Download - Presentation (2010)
______ Security Solutions
Sorry Image Redacted for Privacy
Security
• Overview: What is security?
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction
Presented by. Peleg Holzmann, CISSP
______ & Security• ______
To ....
Presented by. Peleg Holzmann, CISSP
Overview: Gain Security Awareness
When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security.
______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization.
Presented by. Peleg Holzmann, CISSP
A few questions
1. What is your corporate vision for security?
2. Where are you today?
3. Where do you want to be?
4. How do we get there?
5. Did we get there?
6. How do we keep the momentum going?
Presented by. Peleg Holzmann, CISSP
One Answer
We can help you answer all these questions!
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
CIA Triangle
Presented by. Peleg Holzmann, CISSP
Risk
Presented by. Peleg Holzmann, CISSP
Risk is
the likelihood of the occurrence of a vulnerability
multiplied bythe value of the information asset
minus -
the percentage of risk mitigated by current controlsplus +
the uncertainty of the current knowledge of the vulnerability.
Risk
Presented by. Peleg Holzmann, CISSP
$25,000
$200
Threat
$1000
$1000
Layered Approach – Defense in Depth
Information Authorized Personnel
Technology People
RedundancyMonitoring Systems
Patches &Updates
Host IDS
Firewalls
Network IDS
Network IPS
Proxy Servers
Encryption
Backups
Access Controls
Policies and Laws
Internet
Networks
Systems
People
Education and Training
Security Planning(IR, DR, BC)
Presented by. Peleg Holzmann, CISSP
Security Awareness
Presented by. Peleg Holzmann, CISSP
Awareness Training Education
Attribute “What” “How” “Why”
Level Information Knowledge Insight
Teaching Method Media-Videos-Newsletters-Posters, etc.
Practical Instruction-Lecture-Case study workshop-Hands on practice
Theoretical Instruction-Discussion seminar-Background reading
Test Measure True/FalseMultiple Choice
(Identify Learning)
Problem solving(Apply Learning)
Essay(Interpret Learning)
Impact Time Frame
Short Term Intermediate Long Term
Continual Service Improvement
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Presented by. Peleg Holzmann, CISSP
Requirements Continued
Information Security
Information Security Management System
Standards / Frameworks (ISO 27000)
Pro
cess
es
Po
lici
es
Pro
ced
ure
s
Pra
ctic
es
Acc
ou
nta
bil
ity
Compliance, Assurance, Audit
Presented by. Peleg Holzmann, CISSP
Step 1 – Ascertain applicable laws/standards
Determine if your organization needs to meet any laws or standards.• HIPPA• SOX• GLBA• Etc.
Determine if your organization is following any NIST/ISO Standards/Frameworks • ISO 27000 / ITIL• ISO 17799• COBIT• Etc.
• Determine specific requirements
Presented by. Peleg Holzmann, CISSP
Step 1 – Example HIPPA
Some areas which need to be addressed and documented would include:
Physical SecuritySystems should be located in physically secure locations, whenever possible.
Secure LocationsSecure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security.
Access Control SystemsAccess control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available.
Disaster Recovery…
Back-up Systems and Procedures Media Destruction and Recycling
Account Management and Access Review Emergency Access
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Presented by. Peleg Holzmann, CISSP
Step 2 – Project Plan
Utilizing Microsoft Project design and maintain a feasible and detailed project plan.
Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met.
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Step 3:Gather Information & Identify Assets
Documentation Review
Interviews
Presented by. Peleg Holzmann, CISSP
Step 3 – Gather Information
Use tools, interviews and documentation review to analyze business risk profile.
Presented by. Peleg Holzmann, CISSP
Step 3 – Gather Information - Interviews
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Step 3 – Gather Information - Software
Nessus
Secunia
Microsoft Baseline Security Analyzer (MBSA)
Presented by. Peleg Holzmann, CISSP
Step 3 – Gather Information – Documentation Review
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Step 3:Gather Information & Identify Assets
Step 4:Perform Risk Analysis
Documentation Review
Interviews
Presented by. Peleg Holzmann, CISSP
Step 4 – Perform Risk Analysis
Risk is
the likelihood of the occurrence of a vulnerability
multiplied bythe value of the information asset
minus -
the percentage of risk mitigated by current controlsplus +
the uncertainty of the current knowledge of the vulnerability.
Presented by. Peleg Holzmann, CISSP
Step 1:System Characterization
Presented by. Peleg Holzmann, CISSP
Step 2:Threat Identification
Step 3:Vulnerability Identification
Step 4:Control Analysis
Step 6:Impact Analysis
Loss of CIA
Step 7:Risk Determination
HardwareSoftwareSystem InterfacesData & InformationPeopleSystem Mission
System BoundarySystem FunctionsSystems & Data CriticalitySystem & Data Sensitivity
History of system attacksOutside agency data
Threat Statement
Prior Risk AssessmentsPrior AuditsSecurity RequirementsSecurity Test Results
List of Potential Vulnerabilities
Current ControlsPlanned Controls
List of current & planned controls
Threat Source MotivationThreat CapacityNature of VulnerabilityCurrent Controls
Impact Rating
Mission impact analysisAsset criticality assessmentData criticalityData sensitivity
Impact Ratings
Likelihood of threat exploitationMagnitude of impactAdequacy of planned & Implemented controls
Risk & Associated Risk Levels
Step 5:Likelihood determination
Step 4 – Perform Risk Analysis (Quantitative)
Cost Basis Analysis (CBA)Annualized Cost of Safeguard (ACS)
CBA = ALE (prior) – ALE (Post) - ACS
Quantitative Approach (more detailed and longer time frame)
Single Loss Expectancy (SLE)
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
SLE x ARO = ALE
Presented by. Peleg Holzmann, CISSP
Step 4 – Perform Risk Analysis (Qualitative)
Qualitative Approach (Faster and Cheaper)
Low, Medium, High, Very HighAssign a degree to the asset then create a RISK Matrix Chart similar to sample shown.
Presented by. Peleg Holzmann, CISSP
Step 4 – Perform Risk Analysis
At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.
Quantitative Qualitative
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Step 4 – Perform Risk Analysis
At ______ we use both in combination:Quantitative and Qualitative to produce the most accurate risk matrix.
Identify Information Assets
Vulnerability Worksheet
Control StrategyAnd Plan
AccessControl
Implement Control
AdequateControls?
Plan forMaintenance
MeasureRisk to Asset
AdequateRisk?NO
NO
YES YES
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Step 3:Gather Information & Identify Assets
Step 4:Perform Risk Analysis
Step 5:Report Findings & Recommendations
Documentation Review
Interviews
Presented by. Peleg Holzmann, CISSP
Step 5 – Report Findings and Recommendations
Presented by. Peleg Holzmann, CISSP
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Step 3:Gather Information & Identify Assets
Step 4:Perform Risk Analysis
Step 5:Report Findings & Recommendations
Step 6:Prepare Implementation Plan
Documentation Review
Interviews
Presented by. Peleg Holzmann, CISSP
Step 6 – Implementation Plan
Presented by. Peleg Holzmann, CISSP
Step 4 – Example of Patches and Vulnerabilities
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Typical Information Security Audit Procedure
Step 1:Ascertain Applicable Laws
Requirements
Step 1.1:NIST/ISO Security Standards
Step 2:Prepare Project Plan
Step 3:Gather Information & Identify Assets
Step 4:Perform Risk Analysis
Step 5:Report Findings & Recommendations
Step 6:Prepare Implementation Plan
Step 7:Continual Service Improvement
Documentation Review
Interviews
Presented by. Peleg Holzmann, CISSP
Step 7: Continual Service Improvement
Presented by. Peleg Holzmann, CISSP
Some Examples….
Presented by. Peleg Holzmann, CISSP
Firewall Rules
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Wi-Fi Site Analysis
Presented by. Peleg Holzmann, CISSP
Network Analysis
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Documentation – MacAfee Epolicy Orchestrator
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Patch / Change Management Report
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Risk Assessment
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Documentation Review / Audits
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Documentation Work Area Recovery Recommendations
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Documentation Business Impact Analysis (BIA)
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Control Objective
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Policy Document
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
Standards Document
Presented by. Peleg Holzmann, CISSP
Sorry Image Redacted for Privacy
We help you assemble your complete security solution
Presented by. Peleg Holzmann, CISSP