Presentation is loading. Please wait.

Presentation is loading. Please wait.

Applied Security Strategies

Published byΒαραββᾶς Χρηστόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Applied Security Strategies"— Presentation transcript:

1 Applied Security Strategies
Alun Rogers Principal Consultant - Lynx

2 Some clarity Quote from Encarta Dictionary:
Applied - practical: able to be put to practical use, especially as a branch of a subject that has both practical and theoretical aspects. Strategy - planning in any field: a carefully devised plan of action to achieve a goal, or the art of developing or carrying out such a plan

3 Trying to get control of this lot?
Enterprise and personal firewall IPSEC Intrusion Detection Authentication, Biometrics, Smartcards, Single Sign-on Virtual Private Networks SPAM Content Filtering Wireless Remote workers Anti-Virus Standard builds Quarantine / Network Admission Control SSL

4 Do you have an Organic Infrastructure?
I don’t mean the people problem though you should serious consider social engineering & security awareness Project based implementations tend to be islands of “in”security Holistic approach needed If you want MainFrame Security then treat your systems in that way

5 How often is your Risk Assessed?
And by whom What steps do you take to update your mitigation steps?

6 How are your mitigation steps evaluated?
By an external auditor? By a hacker Do they get in? Or out? By you?

7 How do you deal with Emergencies?
Have a process That’s been proven to work Automation to expedite response and mitigation That users can feed into

8 Impact of Change Things Break Supportability

9 Need to be Realistic Evolution NOT Revolution
Security Architecture’s work brilliantly on paper Need to review “where we are” Plan for “where we’d like to be” Take steps along the way

10 Defining an approach Evaluate your assets
Evaluate your surface attack area Evaluate risk - You are at threat from: Other people Other computers Your own people Your own computers Plan for change

11 Architect for security
Good security design & planning can mitigate many attacks and limit their impact Separation of duties, isolation of systems, quarantine & segmentation can all help Automation reduces administrative overhead and increases security Prevent people adding unauthorised software Enforce non-admin and least privilege Secure by default

12 An holistic approach to defining strategy

13 Policies and Procedures
If you do not have processes then all the technology in the world won’t help you ITIL, Microsoft Operations Framework (MOF), Microsoft Solutions for Management (MSM) MOF Security Management SMF Security Roles - Policy Security Administration - Process

14 Do you have one of these? Security Policy
That’s aligned to business objectives That’s aligned to technical realities That has Teeth That your users are aware of That makes sense

15 Where Policy Goes Wrong
Technology Operations Implementation Process Policy Documentation

16 Security Policy Model Policy Operations Documentation Implementation
Technology Policy Process Start with policy Build process Apply technology

17 Measuring Security Policy
Compare to standards and best practices Security Policy Documented Procedures Operations “What you must do” “What you say you do” “What you really do”

18 Strategies for Creating Security Policy
Root your security policy in well-known industry standards or regulations ISO – Security Management Best Practices ISC2 Common Book of Knowledge RFC 2196 – Site Security Handbook Security policies have to start from the top down Illustrate the value of security policy to management Get corporate legal and HR departments to assist you

19 Patch Management Process
1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture C. Review infrastructure/ configuration Ongoing Tasks A. Discover assets B. Inventory clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance C. Verify patch authenticity and integrity 1. Assess 2. Identify 3. Evaluate and Plan 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 4. Deploy 3. Evaluate and Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing

20 Monitoring Patch Status
Subscribe to notification services Microsoft Security Notification Service Third-party mailing lists Check websites Product-specific pages Third-party sites Implement regular review and deployment schedule Microsoft’s patch release schedule: second Tuesday of each month Exception: customers are at immediate risk Configure automated tools to check for new updates daily

21 Recommended Patching Time Frame
When to Apply Patches Apply as soon as possible Apply only after testing Implement mitigating measures Apply according to severity rating Severity Rating Definition Recommended Patching Time Frame Critical Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Within 24 hours Important Exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data or in the integrity or availability of processing resources Within 1 month Moderate Exploitation is serious but has been mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Wait for next service pack or patch rollup that includes the patch, or deploy the patch within 4 months Low Exploitation is extremely difficult, or impact is minimal Wait for next service pack or patch rollup that includes the patch, or deploy the patch within 1 year

22 Microsoft Tools for Patch Management
Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows Update Office Update Content Repositories Windows Update Catalog Office Download Catalog Microsoft Download Center Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Systems Management Server (SMS) Prescriptive Guidance Patch Management Using SUS Microsoft Guide to Security Patch Management Patch Management Using SMS

23 Reporting and Monitoring
Enforce policy Audit changes Centralised, alerting Audit Access Constant review Enrol to Microsoft Security bulletin Patch management Use automated patch management solution Windows server and clients Applications for servers and clients

24 Physical Security Are all your servers in a server room?
Who has access to server rooms? Is the server room physically secure? Where are your workstations? Laptops?!?!

25 Securing the Network Protect your network with a firewall
Protect your application with a firewall Use the right type of firewall appropriately Enforce authentication for all traffic that goes in and out of the network Try to remove direct connections to hosts to the Internet where possible

26 Secure the Network All connections should be treated as un-trusted
Isolate before allowing access to resources Remote Local

27 Secure the Platform Anti Virus Anti Spyware and malware
Select Anti Virus software that is easy to manage Is centrally configurable to initiate on-demand scans Is centrally configurable to force updates across estate Applies to all entry points (devices) Applies to all entry points (applications) Provides gateway protection Anti Spyware and malware Harden OS and browsers Monitor and restrict access to sites Restrict privileges

28 Secure the Platform Authentication Principle of Least Privilege
2 Factor, Kerberos, MSCHAP v2 Select the correct methods appropriately Access point Type of access Service/application accessed Privileges granted Principle of Least Privilege Manage access to admin rights centrally

29 Active Directory can help
Active Security Management Use Organisational Units Group systems by role Automatically remove non-compliant items

30 Secure The Application
Making the application more robust Security Operations Guide Writing Secure Code II Provide protection at the perimeter for external access Harden application Consider requirement ot duplicate perimeter security measures for internal access Delegation of control Code reviews and assessment

31 Secure The Application
Always use SSL for authentication AND data transfer Use tools such as MBSA to check for OS configuration and patch levels Uses the Best Practice Analyzers to verify application configuration for application such as Exchange and SQL

32 Protecting Intellectual Property
Encrypt storage of data that may be vulnerable Enforce access controls Think about in document encryption and signing

33 Legal reasons to act Corporate Governance – SOX Freedom of Information
Regulation of Investigator Powers Act(RIPA) California Security Law SB-1386 Numerous Privacy laws HIPPA The state passes a tough law regarding public disclosure of security breaches after a hacker breaks in to a state employee database. Any company that does business in the state to report security breaches that involve personally identifiable financial information.

34 Learn from others ISO 17799 Mapping MOF to International Security Standards ISO 17799 RFC 2196: Site Security Handbook Prescriptive Guidance MS ITShowcase How to Get your Network Hacked in 10 Easy Steps 10 Immutable Laws of Security Security Update notification

35 Event Information What’s Next?
Technical Roadshow Post Event Website Available from Monday 18th April Please complete your Evaluation Form!

36 © 2004 Microsoft Corporation. All rights reserved
© 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "Applied Security Strategies"

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Security Controls – What Works

Security Controls – What Works
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Patch Management Strategy

Patch Management Strategy
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,

Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google