2. The Global ThreatThe Global Threat
Information security is not just a paperwork
drill…there are dangerous adversaries out
there capable of launching serious attacks
on our information systems that can result
in severe or catastrophic damage to the
nation’s critical information infrastructure
and ultimately threaten our economic and
national security…
Information security is not just a paperwork
drill…there are dangerous adversaries out
there capable of launching serious attacks
on our information systems that can result
in severe or catastrophic damage to the
nation’s critical information infrastructure
and ultimately threaten our economic and
national security…
http://sif.uin-suska.ac.id/ http://fst.uin-suska.ac.id/ http://www.uin-suska.ac.id/
3. Critical InfrastructuresCritical Infrastructures
ExamplesExamples
Energy (electrical, nuclear, gas and oil, dams)
Transportation (air, road, rail, port, waterways)
Public Health Systems / Emergency Services
Information and Telecommunications
Defense Industry
Banking and Finance
Postal and Shipping
Agriculture / Food / Water
Chemical
Energy (electrical, nuclear, gas and oil, dams)
Transportation (air, road, rail, port, waterways)
Public Health Systems / Emergency Services
Information and Telecommunications
Defense Industry
Banking and Finance
Postal and Shipping
Agriculture / Food / Water
Chemical
4. Computer Security Practices inComputer Security Practices in
Nonprofit OrganizationsNonprofit Organizations
• When asked how employees would
characterize the state of their own
organization's computer security practices,
nearly a third of the respondents (32%)
acknowledged that their computer security
practices needed to be improved.
• How respondents described their own
organization's computer security?
•
• When asked how employees would
characterize the state of their own
organization's computer security practices,
nearly a third of the respondents (32%)
acknowledged that their computer security
practices needed to be improved.
• How respondents described their own
organization's computer security?
•
6. Which of the following statements bestWhich of the following statements best
describes your organization's computerdescribes your organization's computer
security?security?
7. Does your organization have a dataDoes your organization have a data
recovery plan to implement in the event ofrecovery plan to implement in the event of
catastrophic data loss?catastrophic data loss?
8. In your opinion, what are the computerIn your opinion, what are the computer
security issues that your organizationsecurity issues that your organization
needs to address?needs to address?
9. The Risks are RealThe Risks are Real
• • Lost laptops and portable storage devices
• • Data/Information “left” on public computers
• • Data/Information intercepted in transmission
• • Spyware, “malware,” “keystroke logging”
• • Unprotected computers infected within seconds
• of being connected to the network
• • Thousands of attacks on campus networks
• every day
• • Lost laptops and portable storage devices
• • Data/Information “left” on public computers
• • Data/Information intercepted in transmission
• • Spyware, “malware,” “keystroke logging”
• • Unprotected computers infected within seconds
• of being connected to the network
• • Thousands of attacks on campus networks
• every day
11. Risk Management FlowRisk Management Flow
• Investigate
• Analyze: Risk Identification Identify the
vulnerability and
• Analyze : Risk Control investigate how to
control vulnerabilities
• Design
• Implement
• Maintain
• Investigate
• Analyze: Risk Identification Identify the
vulnerability and
• Analyze : Risk Control investigate how to
control vulnerabilities
• Design
• Implement
• Maintain
12. Information Security ProgramInformation Security Program
Adversaries attack the weakest link…where is yours?
Risk assessment
Security planning
Security policies and procedures
Contingency planning
Incident response planning
Security awareness and training
Physical security
Personnel security
Certification, accreditation, and
security assessments
Access control mechanisms
Identification & authentication mechanisms
(Biometrics, tokens, passwords)
Audit mechanisms
Encryption mechanisms
Firewalls and network security mechanisms
Intrusion detection systems
Security configuration settings
Anti-viral software
Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
13. What you need to knowWhat you need to know
• IT resources to be managed
• What’s available on your network
• Policies, laws & regulations
• Security Awareness
• Risk Assessment, Mitigation, & Monitoring
• Resources to help you
• IT resources to be managed
• What’s available on your network
• Policies, laws & regulations
• Security Awareness
• Risk Assessment, Mitigation, & Monitoring
• Resources to help you
14. The Golden RulesThe Golden Rules
Building an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Develop an enterprise-wide information security strategy
and game plan
Get corporate “buy in” for the enterprise information
security program—effective programs start at the top
Build information security into the infrastructure of the
enterprise
Establish level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in
threat information only when specific and credible
Develop an enterprise-wide information security strategy
and game plan
Get corporate “buy in” for the enterprise information
security program—effective programs start at the top
Build information security into the infrastructure of the
enterprise
Establish level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in
threat information only when specific and credible
15. The Golden RulesThe Golden Rules
Building an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Create a balanced information security program with
management, operational, and technical security controls
Employ a solid foundation of security controls first, then
build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely
on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the
adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell
“single point solutions” for enterprise security problems
Create a balanced information security program with
management, operational, and technical security controls
Employ a solid foundation of security controls first, then
build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely
on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the
adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell
“single point solutions” for enterprise security problems
16. The Golden RulesThe Golden Rules
Building an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Don’t be overwhelmed with the enormity or complexity of
the information security problem—take one step at a time
and build on small successes
Don’t tolerate indifference to enterprise information security
problems
And finally…
Manage enterprise risk—don’t try to avoid it!
Don’t be overwhelmed with the enormity or complexity of
the information security problem—take one step at a time
and build on small successes
Don’t tolerate indifference to enterprise information security
problems
And finally…
Manage enterprise risk—don’t try to avoid it!
Title is: Threats to security. Photograph of a radio tower to demonstrate connectivity, and a second photograph of a magnified computer chip to demonstrate complexity.
This slide shows a picture of a chain to demonstrate the concept that a chain is only as strong as its weakest link. All listed Management, Operational and Technical controls must be in place.