Donald Hester October 21, 2010 For audio call Toll Free 1 - 888-886-3951 and use PIN/code 158313.

Slides:



Advertisements
Similar presentations
Osman Parada Senior Technology Support Specialist San Bernardino Community College District November 4, 2009 For audio call Toll Free
Advertisements

Micah Orloff March 17, 2010 For audio call Toll Free and use PIN/code What's New with Blackboard 9: Increase Student Success by.
Marti Atkinson October 29, 2009 For audio call Toll Free and use PIN/code Free and Easy Collaboration Tools.
Ryan Eash September 30, 2009 For audio call Toll Free and use PIN/code Camtasia for the Mac: Enhancing Online Learning for Mac.
Donald Hester October 21, 2009 For audio call Toll Free and use PIN/code Getting the Most from Word 2007, Part 2: References and.
Bill Doherty and Pat James 2/25/2010 For audio call Toll Free and use PIN/code Professional Development on a Shoe String Budget.
Micah Orloff September 21, 2010 For audio call Toll Free and use PIN/code
Donna Eyestone February 23, 2011 For audio call Toll Free and use PIN/code
Gregory Beyrer July 22, 2010 For audio call Toll Free and use PIN/code From Blackboard to Desire2Learn.
Donna Eyestone 2/24/2010 For audio call Toll Free and use PIN/code Free Podcast Hosting with 3CRSS.
Tony McKinley August 11, 2009 For audio call Toll Free and use PIN/code Save $$ with Nuance's New PDF Converter.
Micah Orloff March 10, 2010 For audio call Toll Free and use PIN/code What's New with Blackboard 9: Increase Student Retention.
Online Tutoring made Easy Kakwasi Somadhi April 29, 2008 For audio call Toll Free and use PIN/code
Donald Hester March 30, 2010 For audio call Toll Free and use PIN/code IT Best Practices for Community Colleges Part 3: Configuration.
Donald Hester March 9, 2010 For audio call Toll Free and use PIN/code IT Best Practices for Community Colleges Part 2: Business.
Donald Hester February 9, 2010 For audio call Toll Free and use PIN/code IT Best Practices for Community Colleges Part 1: IT Risk.
Richard Mundell November 11, 2009 For audio call Toll Free and use PIN/code Free and Easy Course Authoring with myUDUTU.
Eric Wilson, MS Ed March 16, 2010 For audio call Toll Free and use PIN/code Online Collaborative Groups.
Micah Orloff March 3, 2010 For audio call Toll Free and use PIN/code What's New with Blackboard 9: Getting Acquainted.
The ABCs of PDFs, Part 2: Bookmarks, Forms & Security Eric Wilson, MS Ed April 1, 2008 For audio call Toll Free and use PIN/code
Donna Eyestone 4/21/2010 For audio call Toll Free and use PIN/code The Power of iLife.
Eric Wilson August 5, 2010 For audio call Toll Free and use PIN/code
Donald Hester April 20, 2010 For audio call Toll Free and use PIN/code IT Best Practices for Community Colleges Part 4: Awareness.
Michelle Macfarlane November 10, 2009 For audio call Toll Free and use PIN/code Building Community Online, Part 5: Social Networking.
Tahiya Marome October 8, 2009 For audio call Toll Free and use PIN/code Engaging Millennial Students with Fun Tech: Games.
Donald Hester October 7, 2009 For audio call Toll Free and use PIN/code Getting the Most from OneNote 2007.
Michelle Macfarlane September 24, 2009 For audio call Toll Free and use PIN/code Engaging Millennial Students with Fun Tech: Jing.
Donald E. Hester July 23, 2008 For audio call Toll Free and use PIN/code Get up to Speed with 2007 Office Part 2: PowerPoint, Outlook,
Micah Orloff May 5, 2011 For audio call Toll Free and use PIN/code
Donald Hester October 14, 2009 For audio call Toll Free and use PIN/code Getting the Most from Word 2007, Part 1: Creating and.
Blaine Morrow 3/2/2010 For audio call Toll Free and use PIN/code New Video Collboration with Elluminate.
Anna Stirling and Micah Orloff May 22, 2012 For audio call Toll Free and use PIN/code Take Your Online Teaching to New Heights:
David A. Brown Chief Information Security Officer State of Ohio
Donald E. Hester 19-Mar-2010 For audio call Toll Free and use PIN/code
Donald E. Hester October 30, 2009 For audio call Toll Free and use PIN/code Windows 7: The View Beyond Vista is Great.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works
Catherine Werst July 27, 2010 For audio call Toll Free and use PIN/code
Donna Eyestone May 25, 2010 For audio call Toll Free and use PIN/code iPad in Education.
Larry Green July 15, 2010 For audio call Toll Free and use PIN/code Online Math Games and Resources.
Joan Van Duzer April 13, 2011 For audio call Toll Free and use PIN/code
Micah Orloff and Donna Eyestone October 19, 2010 For audio call Toll Free and use PIN/code
Lynn Strand March 30, 2011 For audio call Toll Free and use PIN/code
Marsha Fralick and Keith Franco July 13, 2010 For audio call Toll Free and use PIN/code A College Success Course for New Millennial.
James Glapa-Grossklag July 20, 2010 For audio call Toll Free and use PIN/code
Marsha Fralick and Keith Franco July 13, 2010 For audio call Toll Free and use PIN/code A College Success Course for New Millennial.
Donna Eyestone February For audio call Toll Free and use PIN/code
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Eric Wilson July 30, 2010 For audio call Toll Free and use PIN/code
Information Systems Security Operations Security Domain #9.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Introduction to Information Security
Frontline Enterprise Security
Internal Audit Considerations for Cybersecurity Risks Posed by Vendors October th, 2015 Chicago IIA Chapter’s 2 nd Annual IIA Chicago IT Hacking.
Information Security tools for records managers Frank Rankin.
Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Defining your requirements for a successful security (and compliance
WSU IT Risk Assessment Process
Building an Online Writing Center
Cybersecurity - What’s Next? June 2017
Critical Security Controls
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Introduction to the Federal Defense Acquisition Regulation
I have many checklists: how do I get started with cyber security?
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
National Cyber Security
IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester March 30, 2010 For audio call Toll Free and use.
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Donald Hester October 21, 2010 For audio call Toll Free and use PIN/code

Maximize your CCC Confer window. Phone audio will be in presenter-only mode. Ask questions and make comments using the chat window. Housekeeping

Adjusting Audio 1)If you’re listening on your computer, adjust your volume using the speaker slider. 2)If you’re listening over the phone, click on phone headset. Do not listen on both computer and phone.

Saving Files & Open/close Captions 1.Save chat window with floppy disc icon 2.Open/close captioning window with CC icon

Emoticons and Polling 1)Raise hand and Emoticons 2)Polling options

Donald Hester

Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College

 Organizations are becoming increasingly dependent on technology and the Internet  The loss of technology or the Internet would bring operations to a halt  The need for security increases as our dependence on technology increases  Management wants to have assurance that technology has the attention it deserves 8

 Does our current security posture address what we are trying to protect?  Do we know what we need to protect?  Where can we improve?  Where do we start?  Are we compliant with laws, rules, contracts and organizational policies?  What are your risks? 9

 Provide Assurance  Demonstrate due diligence  Make risk based decisions 10

 Assessment  Audit  Review  ST&E = Security Test & Evaluation  Testing  Evaluation 11

Planning Information Gathering Business Process Assessment Technology Assessment Risk Analysis & Reporting 12

 Vulnerability Assessment  Penetration Test  Application Assessment  Code Review  Standard Audit/Review  Compliance Assessment/Audit  Configuration Audit  Wireless Assessment  Physical/Environmental Assessment  Policy Assessment 13

 What will be the scope of the assessment? Network (Pen Test, Vul Scan, wireless) Application (Code or Vul scan) Process (business or automated)  How critical is the system you are assessing? High, medium – use independent assessor Low – self assessment 14

 Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS)  Computer Assisted Audit Tools and Techniques (CAATTs) SQL queries Scanners Excel programs Live CDs Checklists 15

 AuditNet  ISACA & IIA Member Resources  DoD Checklists iase.disa.mil/stigs/checklist/  NIST Special Publications csrc.nist.gov/publications/PubsSPs.html 16

 BackTrack  Knoppix Security Tool Distribution  F.I.R.E.  Helix 17

 Documentation Review  Log Review  Ruleset Review  System Configuration Review  Network Sniffing  File Integrity Checking 18

 Network Discovery  Network Port and Service Identification OS fingerprinting  Vulnerability Scanning  Wireless Scanning Passive Wireless Scanning Active Wireless Scanning Wireless Device Location Tracking (Site Survey) Bluetooth Scanning Infrared Scanning 19

 Password Cracking Transmission / Storage  Penetration Testing Automated / Manual  Social Engineering Phishing 20

 Microsoft Security Assessment Tool (MSAT) 21

Governance RiskCompliance 22 Dashboards Metrics Checklists Reporting Trend Analysis Remediation Dashboards Metrics Checklists Reporting Trend Analysis Remediation

 Black Box Testing Assessor starts with no knowledge  White Box Testing Assessor starts with knowledge of the system, i.e. the code  Grey Box Testing Assessor has some knowledge, not completely blind 23

Input Data Entry Data Collection Database Storage Output Reports 24 Verification Match Verification Match

 Code Review Automated/Manual  Vulnerability scanning  Configuration review  Verification testing  Authentication  Information leakage  Input/output Manipulation 25

 Native Audit (Provided by DB)  SIEM & Log Management  Database Activity Monitoring  Database Audit Platforms Remote journaling & analytics  Compliance testing  Performance 26

 Configuration  Verification testing  Log and Alert review 27

28

 Electromagnetic Radiation  Emissions Security (EMSEC)  Van Eck phreaking  Tempest  Tempest surveillance prevention  Faraday Cage 29

 Assessment on the use of resources  Power Management  Virtualization Assessment 30

 Plan Testing, Training, and Exercises (TT&E)  Tabletop Exercises Checklist Assessment Walk Through  Functional Exercises Remote Recovery Full Interruption Test 31

 Vulnerability: Weakness in an information system, or in system security procedures, internal controls, or implementation, that could be exploited or triggered by a threat source.  Vulnerability Scanning: A technique used to identify hosts/host attributes and associated vulnerabilities. (Technical) 32

 Microsoft Baseline Security Analyzer

34 Sample from Qualys

35 Where is the best place to scan from? External scan found 2 critical vulnerabilities Internal scan found 15 critical vulnerabilities

36 Source:

37 Penetration Testers Incident Responders Mimic real-world attacks Unannounced Mimic real-world attacks Unannounced Observers and Referees

38 Penetration Testers Incident Responders Mimic real-world attacks Announced Mimic real-world attacks Announced

39

40 Sample from CoreImpact

 Open Source Vulnerability DB  National Vulnerability Database  Common Vulnerabilities and Exposures  Exploit Database 41

 Posture Review  Access Control Testing  Perimeter review  Monitoring review  Alarm Response review  Location review (Business Continuity)  Environmental review (AC / UPS) 42

Knowledge SkillAbility 43

 Priority Certifications Certified Information Systems Auditor (CISA)* GIAC Systems and Network Auditor (GSNA)  Secondary Certifications Vendor Neutral: CISSP, Security+, GIAC, CISM, etc… Vendor Specific: Microsoft, Cisco, etc… 44 *GAO 65% of audit staff to be CISA

 At the discretion of the organization  Legal Review Reviewing the assessment plan Providing indemnity or limitation of liability clauses (Insurance) Particularly for tests that are intrusive Nondisclosure agreements Privacy concerns 45

 Mitigation Recommendations Technical, Managerial or Operational  Reporting Draft and Final Reports  Remediation / Mitigation Not enough to finds problems need to have a process to fix them 46

 Information Systems Audit and Control Association (ISACA)  American Institute of Certified Public Accountants (AICPA)  Institute of Internal Auditors (IIA)  SANS  National State Auditors Association (NSAA)  U.S. Government Accountability Office (GAO) 47

 Gartner Report on Vulnerability Assessment Tools  Twenty Critical Controls for Effective Cyber Defense 48

Donald E. Hester CISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+ Director, Maze & Associates University of San Francisco / San Diego City College / Los Positas College

Evaluation Survey Link Help us improve our seminars by filing out a short online evaluation survey at:

Thanks for attending For upcoming events and links to recently archived seminars, check Web site at: