Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Slides:



Advertisements
Similar presentations
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Advertisements

Incident Response Managing Security at Microsoft Published: April 2004.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works
Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Patch Management Strategy
IT:Network:Microsoft Applications
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Implementing Network Access Protection
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Module 14: Configuring Server Security Compliance
Chapter 6 of the Executive Guide manual Technology.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Information Security What is Information Security?
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to Information Security
Microsoft Belgium Security Summit Georges Ataya S olvay B usiness S chool, ISACA Belux Detlef Eckert Microsoft EMEA.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
The Disintegrating Perimeter: Planning for the Shift to Asset-based Security Adam Goldstein CCNP CISSP IT Security Officer Villanova University.
Security fundamentals Topic 1 Addressing security threats and vulnerabilities.
Module 2: Designing Network Security
Module 10: Implementing Administrative Templates and Audit Policy.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Importance of Physical Security Common Security Mistakes 1.Security Awareness 2.Incident Response 3.Poor Password Management 4.Bad administrative.
Module 7: Designing Security for Accounts and Services.
IS3220 Information Technology Infrastructure Security
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Critical Security Controls
Compliance with hardening standards
IS4680 Security Auditing for Compliance
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Cybersecurity Threat Assessment
PLANNING A SECURE BASELINE INSTALLATION
Albeado - Enabling Smart Energy
Security in the Real World – Plenary Day One
In the attack index…what number is your Company?
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Marcus Murray, MVP Agenda  What is Risk Management?  Security Strategy  Mission and Vision  Security Principles  Risk Based Decision Model  Tactical Prioritization  Representative Risks and Tactics

Marcus Murray, MVP What is Risk Management?  The process of measuring assets and calculating risk!  Something we all do! (More or less)

Marcus Murray, MVP

Security Operating Principles Corporate Security Mission and Vision Risk Based Security Strategy Risk Based Decision Model Tactical Prioritization

Marcus Murray, MVP Information Security Mission Assess Risk Define Policy Controls Audit Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Company Intellectual property or productivity by systematically assessing, communicating and mitigating risks to digital assets

Marcus Murray, MVP Information Security Vision  Key Client Assurances  My Identity is not compromised  Resources are secure and available  Data and communications are private  Clearly defined roles and accountability  Timely response to risks and threats An IT environment comprised of services, applications and infrastructure that implicitly provides availability, privacy and security to any client. Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

Marcus Murray, MVP Security Operating Principles  Management Commitment  Manage risk according to business objectives  Define organizational roles and responsibilities  Users and Data  Manage to practice of Least Privilege  Privacy strictly enforced  Application and System Development  Security built into development lifecycle  Layered defense and reduced attack surface  Operations and Maintenance  Security integrated into Operations Framework  Monitor, audit, and response functions aligned to operational functions Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

Marcus Murray, MVP Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk

Marcus Murray, MVP Components of Risk Assessment AssetThreat Impact VulnerabilityMitigation Probability + + = = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and impact the asset? Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

Marcus Murray, MVP Risk Management Process and Roles 25 Security Policy Compliance 1 Prioritize Risks 34 Security Solutions & Initiatives Sustained Operations Engineering and Operations CorpSec Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization TacticalPrioritization

Marcus Murray, MVP Tactical Prioritization by Environment Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization Policies and mitigation tactics appropriate for each environment PrioritizedRisks Data Center Client Unmanaged Client RAS Extranet

Marcus Murray, MVP Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Operating Principles Mission and Vision Risk Based Decision Model Tactical Prioritization

Marcus Murray, MVP Representative Risks and Tactics Tactical Solutions Enterprise Risks Embody Trustworthy Computing Secure Environment Remediation Unpatched Devices Network Segmentation via IPSec Unmanaged Devices Secure Remote User Remote & Mobile Users 2-Factor for RAS & Administrators Single-Factor Authentication Managed Source Initiatives Focus Controls Across Key Assets

Marcus Murray, MVP Security Solutions and Initiatives Mitigate risk to the infrastructure through implementation of key strategies 1. Secure the Network Perimeter Secure Wireless Secure Wireless Smart Cards for RAS Smart Cards for RAS Secure Remote User Secure Remote User Next Generation AV Next Generation AV Messaging Firewall Messaging Firewall Direct Connections Direct Connections IDC Network Cleanup IDC Network Cleanup 2. Secure the Network Interior Eliminate Weak Passwords Eliminate Weak Passwords Acct Segregation Acct Segregation Patch Management (SMS/WUS/SUS) Patch Management (SMS/WUS/SUS) NT4 Domain Migration NT4 Domain Migration Network Segmentation Network Segmentation Smart Cards for Admin Access Smart Cards for Admin Access Regional Security Assessment Regional Security Assessment 3. Secure Key Assets Automate Vulnerability Scans Automate Vulnerability Scans Secure Source Code Assets Secure Source Code Assets Lab Security Audit Lab Security Audit 4. Enhance Monitoring and Auditing Network Intrusion Detection System Network Intrusion Detection System Host Intrusion Detection Systems Host Intrusion Detection Systems Automate Security Event Analysis Automate Security Event Analysis Use MOM for Server Integrity Checking Use MOM for Server Integrity Checking Use ACS for real-time security log monitoring Use ACS for real-time security log monitoring

Marcus Murray, MVP Compliance and Remediation Overview  Compliance Management is a Process + Tools (i.e. not just tools)  The “Process” defines the parameters in which the “Tools” operate  “Process” includes:  Assessment of environments and assigning values to groups of assets  Assessment of vulnerabilities – what’s “Critical” for each environment and what’s not  Testing  Communication up and down the enterprise on  Policy  Minimum configuration standards  Timelines for compliance  Timelines and consequences of non-compliance  Coordination with other departments in compliance and remediation efforts  Enforcement  Compliance Audits  Reporting

Marcus Murray, MVP Security Update Assessment at Microsoft  Evaluate enterprise risk of vulnerability and patch deployment “cost”  Combination of MSRC and OTG criteria  CorpSec owns decision process  Include other stakeholders across OTG  MSRC Criteria  Critical: propagation without user action  Important: significant impact to confidentiality, integrity, or availability of data  Moderate: significant, but mitigated by other controls, e.g. default settings, user action, etc.  Low: difficult exploitation, low data impact  OTG Criteria  Use same scale as MSRC, but evaluate additional factors  Cost of patch deployment  Testing required, application impacts, installation difficulty  Compensating controls  Network controls, existing OTG best practice, etc.

Marcus Murray, MVP More information    

Marcus Murray, MVP Marcus Murray