Presentation is loading. Please wait.

Presentation is loading. Please wait.

Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey."— Presentation transcript:

1

2 Or, How to Spend Your Weekends… Fall 2007

3 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey – CISO, UW Ernie Hayden – CISO, Port of Seattle Q & A

4 Technology Security Information Security Firewalls Intrusion Detection Network Security Viruses, Worms, Crimeware System Hardening Encryption Engineering Technology Problems Risk Management Business Continuity / Disaster Planning Intellectual Property Business / Financial Integrity Regulatory Compliance Industrial Espionage Privacy Forensics & Investigations Business Problems Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden Critical Security Problems Strategic Security SECURITY PROFESSION EXPERTISE LEVELS R E S E A R C H Terrorism & CyberCrime Regional Interests (Including Cyber and Natural Disasters) Nation State Interests Intelligence Professional Alliances Politics Strategies and Tactics

5 WHY “STRATEGIC SECURITY” It is not pretty out there…

6 .................................................. 41,000,000 of ‘em out there! “In the world of networked computers every sociopath is you neighbor.” Troubling Realities Dan Geer Chief Scientist Verdasys

7 High Low 1980 198519901995 2000+ password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Technical Skills Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack Cyber Attack Sophistication Continues To Evolve bots Source: CERT 2004

8 ............................... RESISTANCE IS FUTILE. PREPARE TO BE ASSIMULATED?................................ Species 8472

9 Cybercrime and Money… McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”

10 Symantec Internet Security Threat Report Threat landscape is more dynamic than ever Attackers rapidly adapting new techniques and strategies to circumvent new security measures Today’s Threat Landscape.. Increased professionalism and commercialization of malicious activities Threats tailored for specific regions Increasing numbers of multi-staged attacks Attackers targeting victims by first exploiting trusted entities Convergence of attack methods

11 Kirk Bailey, CISSP, CISM Objectives (Confidentiality, Availability, Integrity) Intelligence Trusted Alliances Innovative Thinking Risk Management (Liability Protection) Compliance Challenges Contractual Statutory & Regulatory Industry Standards

12 Ernie Hayden, CISSP Key Functions: Information & Computer Security Business Continuity/Continuity of Operations (COOP)/ Disaster Recovery Planning Privacy Critical Infrastructure Protection Policy Emergency Communications

13 A Sampling of Projects Administration Budgets Audits (e.g., Deloitte/State) Policies & Procedures Appropriate Use – Update/Revision Security Policy - General Cell Phone Disposal RCW 19.255 Response Security Management Security Strategy Top 10 List Metrics, Dashboard Security Governance Security Domain Architecture Committees Architecture Management Board Corporate Security Council Change Management Board Technology Issues VOIP Security Web Application Security Employee Awareness Monthly Brownbags Secure Coding – Web Development Home PC Security Training BCP/DRP Incident Response Procedure IT Disaster Recovery Policy Drills, Tabletops NIMS & ICS Emergency Communications SendWordNow WebEOC - Emergency Operations Center Visualization Tool

14 Strategic Security Plan Elements Organization & Authority Controls Policy Risk Management Program Intelligence Program Audit & Compliance Program Privacy Program Incident Management Education & Awareness Program Operational Management Technical Security & Access Controls Monitoring, Measurement & Reporting Physical & Environmental Security Asset Identification & Classification Employee & Related Account Management Practices

15 What Do You Think? Prioritize this task/response list: Key Application Vendor Contract Review 100’s of Incoming Spam Complaints Forensic Report on New Rootkit Compromises (30 machines) Patch Management Process Concerns Email Service Interruptions New Credit Card Processing System for Husky Stadium Requires CISO Approval Electronic Harassment of an Employee

16 Thoughts… The CISO of the future is the one who can run the risk-management organization. The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space. Quotes by Paul Proctor

17 Technology Security Information Security Firewalls Intrusion Detection Network Security Viruses, Worms, Crimeware System Hardening Encryption Engineering Technology Problems Risk Management Business Continuity / Disaster Planning Intellectual Property Business / Financial Integrity Regulatory Compliance Industrial Espionage Privacy Forensics & Investigations Business Problems Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden Critical Security Problems Strategic Security SECURITY PROFESSION EXPERTISE LEVELS R E S E A R C H Terrorism & CyberCrime Regional Interests (Including Cyber and Natural Disasters) Nation State Interests Intelligence Professional Alliances Politics Strategies and Tactics

18 THANKS!! Kirk Bailey, CISSP, CISM CISO, University of Washington 206-685-5475 kirkb01@u.washington.edu Ernie Hayden, CISSP CISO / Manager Enterprise Information Security Port of Seattle 2711 Alaskan Way Seattle, WA 98121 206-728-3460 Hayden.e@portseattle.org

Download ppt "Or, How to Spend Your Weekends… Fall 2007 Agenda General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey."

Similar presentations

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
The Technology Tool Kit version 2.0 August 2014 Presenter: Deborah Watson InfraGard Houston Chapter - SIG Security Guide & Tool Development Manager.

The Technology Tool Kit version 2.0 August 2014 Presenter: Deborah Watson InfraGard Houston Chapter - SIG Security Guide & Tool Development Manager.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

1  Carnegie Mellon University System Security and U. Rich Pethia Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Security Controls – What Works

Security Controls – What Works
Increasing customer value through effective security risk management

Increasing customer value through effective security risk management
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.

IS 380 OME 1 Fall 2010 Class 1. Administrative Roster Syllabus Review Class overview 10 domains overview.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google