Presentation is loading. Please wait.

Presentation is loading. Please wait.

Frontline Enterprise Security

Published byHortense Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "Frontline Enterprise Security"— Presentation transcript:

1 Frontline Enterprise Security
Presented by: Michael Weaver, CISSP, QSA Sword & Shield Enterprise Security October 6, 2015

2 Who am I? Senior Enterprise Consultant at Sword & Shield
Started “hacking” around the age of 12 on a Windows 3.11 machine using a 14.4k modem Started a professional IT career doing systems and network administration in 2002

3 What does a S&S Enterprise Consultant do?
Audits and assessments on compliance standards, technology configuration, and information security best practices Advisement on business decisions related to information security Supplement information security staff to assist with projects, technology, training, etc. Draft, review, and revise policies Training on technologies, compliance, and general security concepts

4 Audits

5 What Kind of Audits? FISMA, GLBA, HIPAA, ISO and SOX gap analysis Gap Analysis – How close are you to adhering to the compliance framework? PCI compliance Compliance – The governing authority recognizes that you are meeting or exceeding the requirement of the standard. Risk Assessments based on NIST Assessment – Applying my knowledge and expertise to evaluate your organization according to NIST and other standards. How well is your organization protected from actual threats and how likely are they?

6 Evidence Policies and Procedures to show that the organization has set expectations and communicated them to the appropriate parties. Standard sets of supporting documents, such as diagrams, logs, screen shots, configuration files, etc., are requested in every engagement. However, I dig a lot deeper when you make extraordinary claims or hide something. Interviews with people who setup the controls protecting the information. Observations of the work areas and the “secure” areas where the information is stored, processed, or transmitted. Verification through action.

7 Typical Compliance and Security Issues
Policies and procedures Are they kept up-to-date? Are they known throughout the organization? Are they followed? Giving people higher privileges than they need. Local Admin rights – STOP THIS! Not reviewing, collecting, keeping, alerting, and responding to security events. Not Staying current on patches or having a well developed plan to patch everything in your environment. Training Service Accounts. Lock them down. Yes, you need to change the password, but possibly not as often as normal user accounts. Letting your data walk out the door and letting people bring anything in. Having exceptions to the rules, but only if they promise to be safe.

8 Getting to the Information without “Hacking”
Physical methods - social engineering, tailgating, phishing, just taking the information, unlocked computers in public area, or taking pictures or videos (office windows). Using passwords that should have been changed or accounts that should have been disabled. Having exposed information. BYOD, missing or incorrectly configured security controls (VLANs), removable media, Outlook Anywhere, and using cloud storage or services. Sharing passwords or letting other people use your computer or device.

9 How to Resolve the Issues

10 Technology Solutions Basic Firewall Web Application Firewall
Multifactor Biometric Web Filter MSSP/SIEM DDoS Mitigation Mobile Device Management Password Management Update Management IDS/IPS Backup Solutions Archiving DR Sites Whitelisting Enterprise Wireless Data Loss Prevention Vulnerability Scanning Secure File Transfer NAC Inventory Management FIM

11 Steps to Success Senior leadership within the organization must understand and support security decisions or they will fail. Everyone in the organization must know their responsibilities and ownership in the security program. You need visibility and knowledge of how information flows through the business. Identify and address all risks to your information. All identified risks will be accepted, avoided, mitigated, or transferred. Develop a security plan and set goals to obtain a strong security posture. Get help when you need it. Training, 3rd parties, and additional staff can provide additional knowledge, expertise, and resources.

12 Questions?

13 Thank you!

Download ppt "Frontline Enterprise Security"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.

Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Similar presentations

Ads by Google