1. IT Security a CIO Perspective The 3rd Kuwait Info Security Conference & Exhibition By GhassanFarra Senior Consultant The Advance Technology Group
2. IT Security Architecture Business Strategies driving the business Management and Operational Policies Hardening, HIPS Secure encryption, authentication technologies Security practices in development, Penetration Tests Firewalls, NIPS Operational Procedures, Audits, Log Analysis, Content Inspection Business Continuity, Incident Response 5/26/2011 3rd Annual InfoSecurity Conference 2
3. Pitfalls in Security Fortress 5/26/2011 3rd Annual InfoSecurity Conference 3 Unforeseen (harmless!) practices and technologies can bring the security fortress down to crumble and expose the entire infrastructure to numerous risks and threats
4. PST Files Risks - Majority of the enterprise sensitive documents sits today in email messages.. - Messages are archived to local PST files which often get lost due to employee exit or damaged due to size limitation. - PST Files often elude retention Policy Mitigation - Mail Archiving Solution - Central repository for sharing document 5/26/2011 3rd Kuwait InfoSecurity Conference 4
5. 3rd Party Network Access Risks - Allowing 3rd party network access (3G,4G) opens path way to corporate network - Infrastructure is exposed to threats - Theft of Critical information Mitigation - Define and establish policy and procedures - End point or Port control Solution 5/26/2011 3rd Annual InfoSecurity Conference 5
6. Wireless Network Risks - Usage of weak encryption algorithms - Lack of Identification & Authentication of Base stations - Un-encrypted communication channel Mitigation - Use latest Wireless Encryption protocols - Enable authentication to access wireless services - Rogue-Base stations monitoring 5/26/2011 3rd Annual InfoSecurity Conference 6
7. Laptops Theft or Damage Risks - Laptops Contains Highly critical data - Allow easy retrieval of data without any controls implemented (i.e. Full disk encryption) Mitigation - Management Policies / Guidelines - Full disk encryption and backups - Awareness on using laptops (in and out of office, public places etc) 5/26/2011 3rd Annual InfoSecurity Conference 7
8. HR Processes Risks - No notification on employee exit or internal transfers - Access privileges to corporate data - Access to critical business applications Mitigation - Define Corporate Policy - Establish the process or procedure 5/26/2011 3rd Annual InfoSecurity Conference 8
9. Removable Media Risks - Computer infection with malicious code or malware (in-turn network); i.eStuxnet - Authorized and un-authorized information Stealing Mitigation - End point or Port control (USB, CD-ROM, Serial, Parallel ,etc) solution - Encrypt the external media (USB, DVD/CD for critical information) - Policy & Guidelines to support and tune the solution 5/26/2011 3rd Annual InfoSecurity Conference 9
10.
11. Security & Information handling Awareness campaign
14. IT Asset Management 5/26/2011 3rd Annual InfoSecurity Conference 12 Risks - No structured process to manage assets - No policy or procedure to handle end-of-life or disposition assets - No data sanitization procedures - Critical information is available on the disks Mitigation - Define and establish Asset Management Process - Define and Establish Data sanitization procedures