Presentation is loading. Please wait.

Presentation is loading. Please wait.

Establishing a Security Program When None Exists

Published byPierce McKinney Modified over 5 years ago

Similar presentations

Presentation on theme: "Establishing a Security Program When None Exists"— Presentation transcript:

1 Establishing a Security Program When None Exists
Ron Woerner, Sr. Security Administrator CSG Systems, Inc. 5/3/2019 ©2000 CSG Systems, Inc. All rights reserved

2 Security Description The basic goals of security are Confidentiality
Integrity Availability The CIA of security. Confidentiality - Is your information only available to those who need it? IOW, can only those who need to know see the data? Are secrets secret? Integrity - Can you trust your data? Availability - Is your systems/data available for use? 5/3/2019

3 Security Description Security is a chain; it’s only as secure as the weakest link. Security is a process, not a product. Ranum's Law: “You can't solve social problems with software.” "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Bruce Schneier Security is a process problem and a social problem, not a technical problem. 5/3/2019

4 Security Description Good security encompasses: Prevention Detection
Reaction Like a bank: A vault to protect the jewels Alarms to detect the burglars trying to brake into the vault Police that respond to the alarms. Modern security focuses on Prevention. CERT is the Reaction. 5/3/2019

5 Goals The goal is to establish a standardized security program throughout the organization. Understand your organization’s risks. Document security policies and procedures. Institute basic security applications (virus detection & firewall). Control access to all servers, systems, and applications. Evaluate and improve the security of the information system infrastructure. Educate and train all users on systems security. Monitor and enforce security. 5/3/2019

6 Home Security Analogy Systems Security is like securing your house
Policies are the written understanding Access control and passwords are the keys Window and door locks keep out intruders A security camera watches open doors The intent is to make the environment less inviting to those looking for easy pickings 5/3/2019

7 Goals Conduct security assessment
Document IS security policies and procedures Acquire and utilize security tools Control access and authorizations Identify (and correct) potential vulnerabilities Guide, assist and train administrators & users Your goals will be largely determined by the following key tradeoffs: (1) services offered versus security provided (2) ease of use versus security (3) cost of security versus risk of loss The hardest part of implementing security is not the technology, but the people. 5/3/2019

8 Security Assessment What needs to be protected
What are the risks associated with protected assets Internal threats External threats Evaluate the current policies and procedures This shows where you are and where you want to be Need to understand the assets so you can set the appropriate level of security Don’t want to but a $10,000 security system on a Geo Metro. Includes understanding threats and risks. 5/3/2019

9 Security Risks You need to be concerned about:
Disclosure of confidential information - The disclosure of personal and private information about individuals can lead to civil or criminal liability for your company. Data loss - Data can be electronically destroyed or altered either accidentally or maliciously. Damage to reputation - Customers, potential customers, investors, and potential investors are all influenced by a security incident. Downtime - A security incident can shut an organization down. 5/3/2019

10 Threats Unauthorized access to resources and/or information
Unintended and/or unauthorized disclosure of information Denial of service At the data, application or system level Can be intentional or unintentional 5/3/2019

11 The “Crown Jewels” Question:
What are your organization’s “Crown Jewels”? What attracts hackers to your organization? Why would a hacker take interest in your organization? What is your organization’s biggest vulnerabilities? 5/3/2019

12 Risk Management Reducing risk Accepting risk Transferring risk
Technical products Procedural change Accepting risk As a cost of doing business Make contingency plans Transferring risk Outsourcing Insurance Also, ignoring risk - but that’s not advisable. 5/3/2019

13 Document Policies Standards & Guidelines Procedures
Organization-wide, high-level For all employees Set expectations on the use of company systems The first step is to have a company-wide Information Systems Policy! Standards & Guidelines Procedures Specific on how to do business A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. The main purpose of a security policy is to inform users, staff and managers of their obligatory requirements for protecting technology and information assets. The characteristics of a good security policy are: implementable, enforcible, flexible, and clearly defines areas of responsibility. Will initially contain: Access Usage Incident handling 5/3/2019

14 Security Tools Identify, acquire and utilize security tools Firewall*
Protects your network from the Internet Virus detectors* Protects against malicious programs Access control and administration User administration Secure access Vulnerability assessment System monitoring * These are critical in the beginning Need a server to put these tools linux (low-end pentium) aix (sp-mst2) solaris <-- Would be optimum. Could we use Tivoli to evaluate and monitor security? According to Randy Fox, we have a site licence for Network Associates. Does that include Cybercop? 5/3/2019

15 Control Access Manage login account requests
Add, modify & remove accounts Database of who has access to what Review and revise account access Administrator access Group and system accounts Establish a security banner on all systems Authentication vs. authorization Identification and authentication measures are centered on one of three things: 1. Something you know - passwords - pin numbers 2. Something you are - biometrics 3. Something you have - access cards Security Banner: WARNING: This system is restricted to CSG authorized users for business purposes. Unauthorized access is a violation of company policy and the law. This system may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring. 5/3/2019

16 Identify Vulnerabilities
Network: Configuration Network diagram Firewall & routers What are the open doors? 5/3/2019

17 Identify Vulnerabilities
System: Passwords Enforce password policy Check strength Remove Unneeded services Check and lock file & data sharing Only those who need access should have access Unpatched Operating System or Applications 5/3/2019

18 Guide,Assist, & Train Work with the SysAdmins on security
Implement Security Checklists Provide guidance/assistance on implementing security fixes/patches Establish security projects Educate users Let them know the importance of systems security Assist product managers Both What to do when there is a security incident SysAdmins - Front line for security Also Help Desk personnel Educate Users - Have security be a consideration when purchasing applications. - Developers should know about secure programming Need a procedure for handling security incidents 5/3/2019

19 Security Incidents - Users
Any user may encounter a security incident Security incidents include: Malicious programs (viruses, worms, trojan horses, etc.) found in or applications System intrusion by an unauthorized user If you do see a security incident: Don’t spread it! if you get an with what looks like a virus, don’t open it or send it to anyone! Don’t forward warnings about viruses! Contact your manager or the Security Admin. They will investigate and resolve the problem. 5/3/2019

20 Security Incidents - Security Admin
Keep in mind, something that appears to be a security incident is really human error or system failure. The security administrator/manager should ask: What is the problem/incident? (what happened?) What is affected? (system, application, etc.) Does anyone else have the same problem? Contain the problem Get others involved Management Administrators CERT 5/3/2019

21 Security Caveat These tasks won’t close all of the holes.
Everyone needs to take responsibility for information systems security. The intent is to make your environment much less inviting to those looking for easy pickings. This also establishes legal due diligence in protecting your organization. 5/3/2019

22 Security Administration
Eugene Spafford’s first principal of security administration: If you have responsibility for security, but have no authority to set rules or punish violators, your role is to take the blame when something goes wrong.* * Garfinkle & Spafford, Practical Unix & Internet Security, O’Reilly & Associates, Inc, 1996, p.39. 5/3/2019

Download ppt "Establishing a Security Program When None Exists"

Similar presentations

Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.

Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
Introducing Computer and Network Security

Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Computer Crime and Information Technology Security

Computer Crime and Information Technology Security
Defining Security Issues

Defining Security Issues
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google