Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Your Company Security Aware? Presented By: Brian Picard GSEC.

Published byWhitney Hensley Modified over 9 years ago

Similar presentations

Presentation on theme: "Is Your Company Security Aware? Presented By: Brian Picard GSEC."— Presentation transcript:

1 Is Your Company Security Aware? Presented By: Brian Picard GSEC

2 Personal Background Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture ) Private Consulting – Anything Technical 9 Year ( 4 years in Identity/Security ) Network Development Server Implementations Custom Development Security Consultations and Instruction

3 Overview Security Awareness Program Security Effort Statements Sample Security Awareness Efforts Social Engineering Public Information Gathering Development Challenges Physical Security Awareness Adjacent Risks Other Samples

4 Security Awareness Program WARNING This should not be done as a group activity WARNING Definition: This describes where your company’s security awareness is focused and a rough outline of the scope. Efforts: This describes what efforts will be made to meet your goals. Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.

5 Security Effort Statement WARNING These need to be done as a group activity WARNING Objective: Goals, Scope (In AND Out), Gaps Target Audience: Intended Targets, Depth Of Technical Knowledge Actions: Mediums of Delivery, Durations, Required/Optional Additional References: Other Sources Of Information Measurements: Verification On Success

6 Sample Security Efforts (Social Engineering) Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings. Target Audience: All Company Employees Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.

7 Sample Security Efforts (Social Engineering) Additional Resources: http://en.wikipedia.org/wiki/Pretexting http://www.securityfocus.com/infocus/1527 http://www.sans.org/reading_room/whitepapers/engineering Measurements: 1. A company-wide web test administered 6 months after the training is completed. 2. Random Social Engineering attempts done from outside consultants.

8 Sample Security Efforts (Public Information Gathering) Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company. Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees. Actions: A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site. An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.

9 Sample Security Efforts (Public Information Gathering) Additional Information: http://businessethics.suite101.com/article.cfm/corporate_intelligence_gat hering http://businessethics.suite101.com/article.cfm/corporate_intelligence_gat hering Measurements: 1. Post assessment of Information Gathering game. 2. Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site

10 Sample Security Efforts (Development Challenges) Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross- site scripting (XSS), SQL Injections, and Improper Input Validation. Target Audience: Web developers that work on an external facing application. Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.

11 Sample Security Efforts (Development Challenges) Additional Resources : http://en.wikipedia.org/wiki/Cross-site_scripting http://www.cgisecurity.com/articles/xss-faq.shtml http://en.wikipedia.org/wiki/SQL_injection http://www.unixwiz.net/techtips/sql-injection.html Measurements : 1. The completion of the required challenges within a designated time frame. 2. The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round. 3. Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.

12 Sample Security Efforts (Physical Security Awareness) Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building. Target Audience: All employees with badges. Actions: An online bulletin explaining the problems and statistics around un-authorized individuals. Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.

13 Sample Security Efforts (Physical Security Awareness) Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter. Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe. Measurements: 1. Trending on the number of un-authorized people in the buildings. 2. Trending on the number of card swipes per day.

14 Sample Security Efforts (Adjacent Risks) Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats. Target Audience: Any employee that work on external data transactions. Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions. Measurements: A post assessment of the content covered in the WBT.

15 Sample Security Efforts (Other Samples) Security Informational Sessions Security Posters Security Bulletins Data Classification Awareness Phishing Source Code Management

16 Final Thoughts Publish Your Security Awareness Statement Trust but Verify Completion of Efforts

17 Recap And Personal Contact Information Recap Contact Info: Brian_Picard@Progressive.com

Download ppt "Is Your Company Security Aware? Presented By: Brian Picard GSEC."

Similar presentations

Risk Management Case Study. agenda Firm Overview Case Study – Risk Management Q&A.

Risk Management Case Study. agenda Firm Overview Case Study – Risk Management Q&A.
PRODUCT FOCUS 5/27/14 – 6/6/14 INTRODUCTION Our Product Focus for the next two weeks is CompTIA. CompTIA is most well known for serving as the backbone.

PRODUCT FOCUS 5/27/14 – 6/6/14 INTRODUCTION Our Product Focus for the next two weeks is CompTIA. CompTIA is most well known for serving as the backbone.
Laura Urquieta March 11, 2012 EDTC 3332.60 Instructional Technology Practicum.

Laura Urquieta March 11, 2012 EDTC Instructional Technology Practicum.
Week 6 Lecture Part 2 Databases in Electronic Commerce Samuel Conn, Asst. Professor.

Week 6 Lecture Part 2 Databases in Electronic Commerce Samuel Conn, Asst. Professor.
PRODUCT FOCUS 2/3/14 – 2/14/14 INTRODUCTION Our Product Focus for the next two weeks is VMware. VMware is the current industry leader in server / data.

PRODUCT FOCUS 2/3/14 – 2/14/14 INTRODUCTION Our Product Focus for the next two weeks is VMware. VMware is the current industry leader in server / data.
ICASAS305A Provide Advice to Clients

ICASAS305A Provide Advice to Clients
PRODUCT FOCUS 4/14/14 – 4/25/14 INTRODUCTION Our Product Focus for the next two weeks is Microsoft Office 365. Office 365 is Microsoft’s most successful.

PRODUCT FOCUS 4/14/14 – 4/25/14 INTRODUCTION Our Product Focus for the next two weeks is Microsoft Office 365. Office 365 is Microsoft’s most successful.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
E-business Infrastructure

E-business Infrastructure
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Part 1 1 1.Define customer service. 2.Describe factors that have impacted the growth of the service sector in the United States. 3.Identify the socioeconomic.

Part Define customer service. 2.Describe factors that have impacted the growth of the service sector in the United States. 3.Identify the socioeconomic.
SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.
Network security policy: best practices

Network security policy: best practices
IT Job Roles Task 20. Software Engineer Job Description Software engineers are responsible for creating and maintaining software of various different.

IT Job Roles Task 20. Software Engineer Job Description Software engineers are responsible for creating and maintaining software of various different.
Diploma of Project Management Course Outline NSW Course Number 17872 Qualification Code BSB51407.

Diploma of Project Management Course Outline NSW Course Number Qualification Code BSB51407.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD.

Penetration Testing University of Sunderland CSEM02 Harry R Erwin, PhD.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google