call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
Understanding the security_organization
1. CIS 264 Week 1
Highline Community College
Dan Morrill
2. Roles within the company
Risks that are part of the regulatory landscape (SOX,
HIPAA, FERPA, PCI-DSS, etc.)
Risks that are part of the business decisions
Risks that are part of the technology decisions
Risks that are part of the security decisions
HIPAA requires a firewall, the business decides to
purchase CISCO because of an existing contract,
Technology purchases a Cisco 7600 with a firewall
module, security configures it to work on the network by
opening ports and allowing access to services
3. Decisions for technological solutions will be made by
people who do not understand the technology
Decisions for purchasing will be made by existing
contracts and discounts with IT providers
Decisions might be locked in for years (Cisco,
Microsoft, Linux) because of those contracts
And it is hard to swap out technologies, it is nearly
impossible for a Windows shop to go to Linux in its
entirety because of “lock in” with vendors
You see this now with cloud computing, and the attempt
to avoid vendor lock in with any provider
4. Point solutions are still popular in organizations
Technology and security need to understand what needs
to be protected in the organization
Technology and security need to understand the critical
assets for business continuity (the systems the company
needs to run to continue to do business)
Every manager and executive thinks that their systems are
business critical and will make decisions about IT, Business
Continuity, and Disaster recovery based on that perception
Businesses are highly political
Don’t tell the VP you can’t do it, or won’t do it – they will
find a way to make it happen regardless of what IT says
5. Technology and security need to identify every IT
solution in the company and how the interconnect to
each other to deliver services
This includes new, old, vintage, and forgotten systems
and programs
Some programs and systems will be orphaned in the
organization with no clear manager or maintainer
Some users do not want their systems upgraded or
changed and will help kill new systems or changes
Some managers do not want to lose what political power
they have – and will help kill new systems or changes
6. Technology provides solutions to business
problems, business problems are based on the
perceived power of the people making those decisions
What are the systems we need to protect
Who uses them and how
What are the risks we are trying to reduce
What is the highest priority risks (this is heavily
influenced by power both actual and perceived within
an organization)
Are you reducing risks in the most cost effective way?
Heavily dependent upon politics and power within the
organization
7. Risk = (threats x vulnerabilities) + (likelihood x impact) +
(politics + positional power in the organization)
Risk is the probability of loss
This means uncertainty and messy answers
This means that the “risk” is open to political and positional
influence up and down the organization
Risk is the possibility of a threat
How likely is something to happen, how clever are the
hackers, how clever is IT and security?
Risk is qualified (measured) by how likely something is to
happen to the systems
This is prone to second guessing, and lack of imagination
8. A vulnerability is the weakness that makes the
resource susceptible to the threat.
A threat is anything capable of acting against a
resource in a manner that can result in harm
(intentionally or accidentally).
The likelihood is a measure of how probable it is that
the threat/vulnerability pair will be realized.
The severity is a measure of the magnitude of the
consequences that result from the threat/vulnerability
pair being realized for that resource.
9. Likelihood:
Critical (5) – Exposure is apparent through casual use or with publicly
available information, and the weakness is accessible publicly on the
Internet
High (4) – The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from being exercised
are ineffective.
Moderate (3) – The threat-source is motivated and capable, but
controls are in place that may impede successful exercise of the
vulnerability.
Low (2) – The threat-source lacks motivation or capability, or controls
are in place to prevent, or at least significantly impede, the
vulnerability from being exercised
Extremely Low (1) – The threat-source is part of a small and trusted
group, controls prevent exploitation without physical access to the
target, significant inside knowledge is necessary, or purely theoretical
10. Severity:
Critical (4) – May allow full access to or control of the
application, system, or communication including all data
and functionality
High (3) - May allow limited access to or control of the
application, system, or communication including only
certain data and functionality
Moderate (2) – May indirectly contribute to unauthorized
activity or just have no known attack vector. Impact may
vary as other vulnerabilities or attack vectors are identified.
Low (1) – May indirectly contribute to unauthorized
activity or just have no known attack vector. Impact may
vary as other vulnerabilities or attack vectors are identified.
11. Risk Exposure:
1 – 4 Low - May have some minor effect on the system, but likely little impact to the
organization overall. Recovering from such an impact will require minimal expenditures
and resources. A single issue, by itself, may not place the integrity, availability, or
confidentiality of a system at risk. Multiple issues in this category could be combined,
however, in an exploit attempt.
5–7 Moderate - May result in some tangible impact to the organization. The
impact could be narrow in focus and perhaps only noted by a few individuals or parts of
the organization. May cause organizational embarrassment. Recovering from such an
impact will require some expenditure and resources.
8 – 11 High - May cause an extensive system outage, and/or loss of customer or
business confidence. May also result in compromise of a large amount of the
organization’s information or services, including sensitive information. Recovering from
such an impact will require a substantial amount of expenditure, resources, and
time. These vulnerabilities should be taken seriously and addressed quickly.
12+ Critical - This level of risk exposure is unacceptable for any aspect of the
environment. It introduces a level of exposure that cannot be maintained over time. The
remaining categories may be acceptable depending on the risk tolerance range.
12. Applied Risk Exposure:
1–8 Low - Acceptable without review by
management
9 – 25 Moderate - Management must determine
whether corrective actions are required or decide to
accept the risk
26 – 39 High - Undesirable and requires corrective
action. A plan must be developed to incorporate these
actions within a reasonable period of time based on
the discretion of management.
40+ Critical - Undesirable and requires
immediate corrective action
13. There are two primary approaches to information
security at this time
Proactive
Reactive
Proactive – identify risks and vulnerabilities to systems
before hackers do, and take appropriate actions to
secure them and minimize risk
Reactive – wait to get hacked, then take appropriate
measures and actions to secure them and minimize
risk
14. Reactive information security has generally fallen out
of favor
Most companies do a combination of reactive and
proactive security
Patch updates
Internal security testing
If hacked – find the way they got in and fix it
Reactive information security has a hard time scaling to
the organization because of the complexity of systems
being used and the number of ways that networks are
accessed
BYOD complicates the matter of reactive because it is
very hard to define where the network boarder is
15. Proactive information security is limited by:
The imagination of people doing security risk management
The skills of the employees who conduct information security
surveys of the network
The support of management to fix problems (that might be
critical but costly) in a reasonable period of time
“Security as a Cost Center” the perception of no real benefit to
the company because nothing bad ever happens
Proactive information security is written into some
regulations by specifying that companies will accomplish
tasks like third party network evaluations, firewalls, and
other security systems as part of the companies operations
16. One of the largest problems in information security is
that there are a large number of “unknowns”
It is unknown to most companies, law enforcements,
and governments just how many vulnerabilities there
are out there
There is a broad and complex market for “Zero Day”
vulnerabilities that are used by companies, criminals,
law enforcement and governments without notifying the
developer of those flaws
Most companies cannot and do not belong in the
business of “zero day” research
17.
18. Hacks get more complex
Hackers duration on the networks increases
AV might not catch it all
Firewalls and SEIM systems might not see it all
Coders will never write unhackable code
Systems are exposed everywhere there is a connection
Open markets for vulnerabilities
Slow OEM response at times to vulnerabilities
19. You have to manage your networks, systems, access points,
user front ends, and everything else with what you know
People in technology and/or information security that do not
constantly learn new stuff become obsolete within a year
You have to work with an often dysfunctional organization
to learn to play politics to secure systems adequately
You have to trust OEM’s to deliver a patch in time
You have to trust your systems based on what they are
seeing
And you have to get creative with your skills to keep your
networks safe