2. Roger Hagedorn
Security Consultant
•CISSP - Certified Information Systems Security Professional
•GIAC Security Essentials (GSEC)
Member:
•(ISC)2 Twin Cities Area Chapter (isc2tc.org)
•Upper Midwest Security Alliance (UMSA) – Board Member
3. Agenda
•
Roger’s 5 Key Components of a
Security Program
What Can You Do Now?
How to Tell You’ve Been Breached
Action Steps if Breached
Please feel free to ask questions at any
time. This session is for you.
•
•
•
4. More Introductions
• Who are you and what brings you to this
presentation?
• What are your security concerns?
5. Why Are We Here?
Security Breaches so far in 2013:
Approximately 10.6 million records
compromised and 483 breaches reported.
According to statistics compiled by the Privacy Rights Clearinghouse
http://www.darkreading.com/database/lessons-learned-
6. Why Are We Here?
According to the Verizon 2013 Data Breach
Investigations Report (DBIR), organizations
with fewer than 100 employees comprised
31% of data breach incidents investigated in
2012.
http://www.verizonenterprise.com/DBIR/2013/
7. Why Are We Here?
Why do people hack?
•Notoriety—basic intrusions, early viruses
•Fame—creative or widespread malware
•Financial—theft and damage
•Political Reasons—hactivism
•National Interests—spying
8. Why Are We Here?
The “Professionalization” of CyberCrime in
the form of large, organized criminal
syndicates
•Exploit auction houses (WabiSabiLabi)
•Forums and IRC (#Vxers, cybermafia.cc)
•Botnet rental (5socks.net)
•Identity auctions (76service)
http://money.cnn.com/2011/07/27/technology/organi
/
9. Why Are We Here?
A Common Misconception:
“Our organization would never be a target of
hackers.”
– We do good work
– We’re too small to be noticed
– We have nothing of value
10. Why Are We Here?
What small organizations may not realize:
– Hackers use automated tools. They don’t
pick their targets; they find vulnerabilities.
– All organizations have things of value:
• Computing power (botnets)
• Email contacts (other potential victims)
• Personal information (identity theft)
11. Why We Are Here
This situation makes us all a target.
14. Key Components of a
Security Program
Support from upper management is critical.
Without that, no program or initiative will be
fully successful. But with it, work processes
can be adjusted, staff can learn, funds can
be obtained, and attitudes can change.
15. Key Components of a
Security Program
No. 2 is Data.
https://www.icts.uiowa.edu/content/integrated-reposit
16. Key Components of a
Security Program
An in-depth understanding of an
organization’s data and how it’s protected.
Compare the “Good Old Days” to today. . .
17. Key Components of a
Security Program
http://education-portal.com/academy/lesson/what-is-cloud-comp
18. Key Components of a
Security Program
http://education-portal.com/academy/lesson/what-is-cloud-comp
19. Intermission
Plucked from the Sept. 27 headlines:
Last week's arrest of eight men in
connection with a £1.3 million ($2.08 million)
bank heist carried out with a remote-control
device they had the brass to plug into a
Barclays branch computer
http://nakedsecurity.sophos.com/2013/09/21/bank-robbers-pose-as-
20. Intermission
Plucked from the Sept. 27 headlines:
The arrest of 12 men in connection with a
scheme to
boobytrap computers at Santander, one of
the UK's largest banks, by rigging the same
type of remote-control device found in
Barclays - devices that enable remote bank
robbery.
http://nakedsecurity.sophos.com/2013/09/13/12-arrested-a
21. Key Components of a
Security Program
That in-depth understanding of your
organization’s data must include where it is
stored, how it is classified—e.g., public, inhouse only, confidential—who can access it,
and how this is being monitored.
22. Key Components of a
Security Program
It is not enough to safeguard important data
—from HR-related data to financial
information, and especially Personal Health
Information—it is necessary to be able to
demonstrate that appropriate controls are in
place and effective.
23. Key Components of a
Security Program
No. 3 is IT.
Now many people consider information
security an IT issue, which it is not because
it involves much more than IT, but it is true
that hardware and software controls are a
significant part of any security system.
24. Key Components of a
Security Program
But if your organization has one IT admin,
this is a challenge. Security is important but
only part of the job. There’s no dedicated
security analyst. There’s no way IT can
monitor everything. And it’s easy to waste
time on logs and events that aren’t
important. So what to monitor?
25. Key Components of a
Security Program
•
•
•
•
•
•
•
Active Directory and Servers
Firewall
Wireless access points
Anti-Malware
In-house applications
Data storage (file server, NAS or whatever)
Any cloud services?
26. Key Components of a
Security Program
Also part of IT’s role in security is the
implementation of some basic practices:
•
•
•
•
•
user accounts
strong passwords
locking screen-savers
use a firewall and VPN
update operating systems
and applications
•
•
•
•
•
WPA2 encryption for WiFi
separate guest WiFi
encrypt data
dispose of data
policies
See the SANS Institute’s 20 Security Controls
27. Key Components of a
Security Program
No. 4 is Policies and Procedures.
The scope and key elements of an overall
security policy need to be developed by a
team that pulls from several areas of the
organization, so that the diversity of
divisions, end-users, and procedures are
accounted for.
28. Key Components of a
Security Program
Then, from this broad basis, more granular
policies and procedures need to be
developed to deal with specific aspects of
the enterprise.
29. Key Components of a
Security Program
Example Policies:
•Computing Acceptable Use
•Remote Access
•Password Usage
•Data Retention and Destruction
•Flashdrive Usage
•Cloud Storage
30. Key Components of a
Security Program
Once the policies and procedures are in
place, they need to be regularly checked in
order to verify that they are being followed
and that they actually provide the security
controls needed; if not, then they will have to
be revised. And all policies and procedures
need to be revised on a regular basis,
generally annually.
31. Key Components of a
Security Program
No. 5 is Staff Involvement, especially
because staff are sometimes the weakest
link but can also be the first line of defense.
32. Key Components of a
Security Program
Offer training programs, newsletters, brown
bag lunch sessions, posters, campaigns,
informational lectures, news updates, and
the like. While regulations like HIPAA
mandate formal trainings, experience
suggests that a combination of approaches
works best.
33. What Can You Do Now?
Invest in prevention—implement Defense-inDepth
Educate your staff
Prepare an Incident Response Plan
Test your systems
Whitelist applications
34. How to Tell You’ve Been
Breached
The top indicators are:
•Unusual Outbound Network Traffic
•Anomalies in Privileged User Account
Activity
•Geographical Irregularities
http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/2401
35. Action Steps if Breached
•
•
•
•
•
Identify the Attack*
Quarantine the Damage**
Disinfect
Employ your Communication Strategy
Re-secure the Network
• If you are lucky. Most learn from outside sources after the fact.
** But first ask if this is actionable; if so, consult a forensic specialist
37. •
•
•
•
Recap
Roger’s 5 Key Components:
– Support from Upper Management
– Know your Data
– IT Controls and Monitoring
– Policies and Procedures
– Staff Involvement
What Can You Do Now?
How to Tell You’ve Been Breached
Action Steps if Breached
38. Q and A
• Thanks very much for your attention.
• Any questions or commnents?
Roger Hagedorn
Email: roger@cultivatingsecurity.com
Blog: www.cultivatingsecurity.com
39. Information Security Resources
The SANS Institute’s 20 Security Controls
http://www.sans.org/critical-security-controls/
Information Security Policy Templates
http://www.sans.org/security-resources/policies/
The Australian Government’s 35 Controls
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
The Center for Internet Security
http://www.cisecurity.org
Ten Steps to Planning an Effective Cyber-Incident Response
http://blogs.hbr.org/2013/07/ten-steps-to-planning-an-effect/
40. Information Security Resources
Top 15 Indicators Of Compromise
http://www.darkreading.com/attacks-breaches/top-15-indicators-ofcompromise/240162469?itc=edit_in_body_cross
SonicWALL Phishing IQ Test
http://www.sonicwall.com/furl/phishing/
Sophos 1-Minute Security Tips for the Workplace
http://www.youtube.com/playlist?list=PLD88EACF404839195