Download presentation
Presentation is loading. Please wait.
Published byPierce McKinney Modified over 5 years ago
1
Establishing a Security Program When None Exists
Ron Woerner, Sr. Security Administrator CSG Systems, Inc. 5/3/2019 ©2000 CSG Systems, Inc. All rights reserved
2
Security Description The basic goals of security are Confidentiality
Integrity Availability The CIA of security. Confidentiality - Is your information only available to those who need it? IOW, can only those who need to know see the data? Are secrets secret? Integrity - Can you trust your data? Availability - Is your systems/data available for use? 5/3/2019
3
Security Description Security is a chain; it’s only as secure as the weakest link. Security is a process, not a product. Ranum's Law: “You can't solve social problems with software.” "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Bruce Schneier Security is a process problem and a social problem, not a technical problem. 5/3/2019
4
Security Description Good security encompasses: Prevention Detection
Reaction Like a bank: A vault to protect the jewels Alarms to detect the burglars trying to brake into the vault Police that respond to the alarms. Modern security focuses on Prevention. CERT is the Reaction. 5/3/2019
5
Goals The goal is to establish a standardized security program throughout the organization. Understand your organization’s risks. Document security policies and procedures. Institute basic security applications (virus detection & firewall). Control access to all servers, systems, and applications. Evaluate and improve the security of the information system infrastructure. Educate and train all users on systems security. Monitor and enforce security. 5/3/2019
6
Home Security Analogy Systems Security is like securing your house
Policies are the written understanding Access control and passwords are the keys Window and door locks keep out intruders A security camera watches open doors The intent is to make the environment less inviting to those looking for easy pickings 5/3/2019
7
Goals Conduct security assessment
Document IS security policies and procedures Acquire and utilize security tools Control access and authorizations Identify (and correct) potential vulnerabilities Guide, assist and train administrators & users Your goals will be largely determined by the following key tradeoffs: (1) services offered versus security provided (2) ease of use versus security (3) cost of security versus risk of loss The hardest part of implementing security is not the technology, but the people. 5/3/2019
8
Security Assessment What needs to be protected
What are the risks associated with protected assets Internal threats External threats Evaluate the current policies and procedures This shows where you are and where you want to be Need to understand the assets so you can set the appropriate level of security Don’t want to but a $10,000 security system on a Geo Metro. Includes understanding threats and risks. 5/3/2019
9
Security Risks You need to be concerned about:
Disclosure of confidential information - The disclosure of personal and private information about individuals can lead to civil or criminal liability for your company. Data loss - Data can be electronically destroyed or altered either accidentally or maliciously. Damage to reputation - Customers, potential customers, investors, and potential investors are all influenced by a security incident. Downtime - A security incident can shut an organization down. 5/3/2019
10
Threats Unauthorized access to resources and/or information
Unintended and/or unauthorized disclosure of information Denial of service At the data, application or system level Can be intentional or unintentional 5/3/2019
11
The “Crown Jewels” Question:
What are your organization’s “Crown Jewels”? What attracts hackers to your organization? Why would a hacker take interest in your organization? What is your organization’s biggest vulnerabilities? 5/3/2019
12
Risk Management Reducing risk Accepting risk Transferring risk
Technical products Procedural change Accepting risk As a cost of doing business Make contingency plans Transferring risk Outsourcing Insurance Also, ignoring risk - but that’s not advisable. 5/3/2019
13
Document Policies Standards & Guidelines Procedures
Organization-wide, high-level For all employees Set expectations on the use of company systems The first step is to have a company-wide Information Systems Policy! Standards & Guidelines Procedures Specific on how to do business A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets. The characteristics of a good security policy are: implementable, enforcible, flexible, and clearly defines areas of responsibility. Will initially contain: Access Usage Incident handling 5/3/2019
14
Security Tools Identify, acquire and utilize security tools Firewall*
Protects your network from the Internet Virus detectors* Protects against malicious programs Access control and administration User administration Secure access Vulnerability assessment System monitoring * These are critical in the beginning Need a server to put these tools linux (low-end pentium) aix (sp-mst2) solaris <-- Would be optimum. Could we use Tivoli to evaluate and monitor security? According to Randy Fox, we have a site licence for Network Associates. Does that include Cybercop? 5/3/2019
15
Control Access Manage login account requests
Add, modify & remove accounts Database of who has access to what Review and revise account access Administrator access Group and system accounts Establish a security banner on all systems Authentication vs. authorization Identification and authentication measures are centered on one of three things: 1. Something you know - passwords - pin numbers 2. Something you are - biometrics 3. Something you have - access cards Security Banner: WARNING: This system is restricted to CSG authorized users for business purposes. Unauthorized access is a violation of company policy and the law. This system may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring. 5/3/2019
16
Identify Vulnerabilities
Network: Configuration Network diagram Firewall & routers What are the open doors? 5/3/2019
17
Identify Vulnerabilities
System: Passwords Enforce password policy Check strength Remove Unneeded services Check and lock file & data sharing Only those who need access should have access Unpatched Operating System or Applications 5/3/2019
18
Guide,Assist, & Train Work with the SysAdmins on security
Implement Security Checklists Provide guidance/assistance on implementing security fixes/patches Establish security projects Educate users Let them know the importance of systems security Assist product managers Both What to do when there is a security incident SysAdmins - Front line for security Also Help Desk personnel Educate Users - Have security be a consideration when purchasing applications. - Developers should know about secure programming Need a procedure for handling security incidents 5/3/2019
19
Security Incidents - Users
Any user may encounter a security incident Security incidents include: Malicious programs (viruses, worms, trojan horses, etc.) found in or applications System intrusion by an unauthorized user If you do see a security incident: Don’t spread it! if you get an with what looks like a virus, don’t open it or send it to anyone! Don’t forward warnings about viruses! Contact your manager or the Security Admin. They will investigate and resolve the problem. 5/3/2019
20
Security Incidents - Security Admin
Keep in mind, something that appears to be a security incident is really human error or system failure. The security administrator/manager should ask: What is the problem/incident? (what happened?) What is affected? (system, application, etc.) Does anyone else have the same problem? Contain the problem Get others involved Management Administrators CERT 5/3/2019
21
Security Caveat These tasks won’t close all of the holes.
Everyone needs to take responsibility for information systems security. The intent is to make your environment much less inviting to those looking for easy pickings. This also establishes legal due diligence in protecting your organization. 5/3/2019
22
Security Administration
Eugene Spafford’s first principal of security administration: If you have responsibility for security, but have no authority to set rules or punish violators, your role is to take the blame when something goes wrong.* * Garfinkle & Spafford, Practical Unix & Internet Security, O’Reilly & Associates, Inc, 1996, p.39. 5/3/2019
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.