1. Information Security In the Corporate World

2. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005 Currently hold a CISSP, CEH and GPEN certifications Joined Lockheed Martin in October 2005 as an Computer System Security Analyst Supported multiple services/products such as Proxies, Firewalls, IDS/IPS, Full Disk Encryption, Log Monitoring but spent most of my career doing Vulnerability identification and management In addition to support those tools I have also acted as a Security Engineer helping to integrate security into programs and environments

3. Presentation Overview Understand the goal of an Information Security professional Get a baseline understanding of the phases attackers typically use Identify high level security concepts to try and reduce and eliminate attack vectors in your environment

4. Goals Overall our goal as an Information Security Professional is to: 1.Ensure the business is still functional 2.Eliminate risk where ever possible 3.When you cannot eliminate, mitigate it to an acceptable level 4.Document and accept known risks that cannot be eliminated

5. Understanding Attacks Reconnaissance Scanning and Enumerating Gain Access

6. Understanding Attacks Maintain Access Covering Tracks Loot and Profit

7. Defense in Depth Model

8. Unsecure System

9. System Hardening Patching (OS, App, DB) –Ensure all patches get applied quickly and efficiently –Setup standard outage windows for patches and other maintained –Be proactive, run vulnerability scans Anti-virus –Automate updates –Scheduled scans –Setup on access scanning

10. System Hardening (cont) Separation of duty –Distribute services to multiple devices –Isolate systems to different environments Simplify your systems –Disable unnecessary services –Remove unused components

11. System Hardening (cont) Least Privilege –Only grant accounts the privileges required to fulfill their roles. –Limit remote root or admin access Log Monitoring –Centralize and correlate your logs –Review logs daily or at least have e-mail alerts setup for specific events

12. System Hardening (cont) Firewalls –Place in-between trusted and untrusted environments –Configure to only allow required network traffic –Block by default (don’t send resets) IDS/IPS –Place in-between trusted and untrusted environments –Used hosted based solutions as well on high risk targets –Spend the time to configure properly, eliminate the white noise

13. System Hardening (cont) Proxy –Block non-business related and personal e-mail sites –Coach users when dealing with higher risk areas, like social networking sites. Full Disk Encryption –Can be coupled with auto wipe technology –Prevents data exfiltration through theft

14. User Hardening User awareness and training –Train users to identify social engineering and phishing attacks –Propagate cyber security awareness –Test users understanding Policies and Procedures –Document processes for standard activities –Setup guidelines for security requirements

15. Secure Setup

16. Remember You will never be 100% secure. Your job is to make compromising your systems so hard that the attacker will either look for easier prey or be forced to run exploits that are so noisy that they are detected before any harm is done.

17. More information Read up Intelligence-Driven Computer Network Defense and Cyber Kill Chain®: http://www.lockheedmartin.com/us/what-we- do/information-technology/cyber-security/cyber- kill-chain.html http://www.lockheedmartin.com/us/what-we- do/information-technology/cyber-security/cyber- kill-chain.html

18. Questions? Contact Information: timothy.van.waes@lmco.com timothy.van.waes@lmco.com