Emerging Security Threats

Uploaded from authorPOINT Lite
Download as
 PPT
Presentation Description 

No description available

Comments Sign in to comment
Embed URL Thumbnail


Custom Embed WordPress Embed

authorSTREAM Premium Service
What's up on authorSTREAM?
Views: 983
Like it  ( Likes) Dislike it  ( Dislikes)
Added: September 29, 2007 This Presentation is Public 
Presentation Category : Entertainment All Rights Reserved
Presentation Transcript

Essential Strategies for Protecting Against the New Wave Of Information Security Threats: Essential Strategies for Protecting Against the New Wave Of Information Security Threats Abe Usher, CISSP Sharp Ideas LLC


About the presenter: About the presenter Abe Usher CISSP Master’s degree in Information Systems Ideas published in Wired Magazine, Network World, New Scientist Magazine, Business Week On-line and others Creator of slurp.exe Principal architect of SecurityBuzz.org


Webinar agenda: Webinar agenda Review of security concepts New threats Pod slurping Data theft in the news Strategies for reducing risk Questions and wrap up


Information security: key terms: Information security: key terms Confidentiality Integrity Availability


Information security: key terms: Information security: key terms Network security Application security Host security (endpoint security)


Information security: key terms: Information security: key terms Network Application Host (Endpoint) Typically strong Moderate Weak (non-existent?)


Information security: new threats: Information security: new threats The widespread introduction of computing devices and portable storage in the enterprise bring significant risks: iPods USB and Firewire storage Bluetooth accessories PDAs Unauthorized wireless


Endpoint: entry vectors: Endpoint: entry vectors Optical drives PDAs Smart phones Firewire USB accessories RJ-45 net WiFi Bluetooth


Universal Serial Bus (USB): Universal Serial Bus (USB) Originally developed in 1995 as an external expansion bus to make adding peripherals easy. “Universal” acceptance of USB – virtually all new PCs come with one or more USB ports. New USB 2.0 allows data transfer at a rate 40 times faster than USB 1.1 (480 Mb/second)


USB devices: the good: USB devices: the good Supported by all vendors on all major operating systems Productivity booster in the proper context USB has reduced cost and complexity of peripherals Convenient data exchange between computers


USB devices: the bad: USB devices: the bad Modern operating systems do not provide granular control over the use of USB devices (e.g. No auditing) Most commercial organizations do not have clear policies on the use of USB devices Most organizations do not understand the security implications of USB devices


The importance of information: The importance of information The currency of the Information Age is the bit. Information economies gain competitive advantage through creating, analyzing, and distributing information. Organizations that fail to protect their information resources jeopardize their own future.


Adapt your security infrastructure or become a statistic: Adapt your security infrastructure or become a statistic Privacy Rights Clearing House | Washington Post, June 22, 2005


Adapt your security infrastructure or become a statistic: Adapt your security infrastructure or become a statistic Privacy Rights Clearing House | Washington Post, June 22, 2005


Adapt your security infrastructure or become a statistic: Adapt your security infrastructure or become a statistic Privacy Rights Clearing House | Washington Post, June 22, 2005


Digital media players and portable storage: Digital media players and portable storage More than 42 million iPods sold Other digital media players increasingly popular USB thumb drives reaching low price point and ubiquitous adoption


Information security: in the news: Information security: in the news


Information security: in the news: Information security: in the news


Information security: in the news: Information security: in the news


Information security: in the news: Information security: in the news Unauthorized use of computers increased Unauthorized access to information and theft of proprietary information showed significant increases in average loss per respondent ($303,324 and $355,552 respectively)


Information security: in the news: Information security: in the news


Information security: in the news: Information security: in the news


Information security: in the news: Information security: in the news Additional resources available at: http://www.sharp-ideas.net/ideas/ 37 additional stories from the news media related to data theft 26 messages from prominent information security mailing lists discussing data leakage / data theft


Information security: traditional threats: Information security: traditional threats External hackers Malicious code outbreaks SPAM Spyware Phishing


Traditional threats (network security): Traditional threats (network security) Hacker activity Worms & viruses SPAM Spyware Phishing


Traditional threats (network security): Traditional threats (network security) Hacker activity Worms & viruses SPAM Spyware Phishing Firewall Intrusion Detection SPAM filtering Anti-Spyware Phishing filtering


Emerging threats: endpoint security: Emerging threats: endpoint security Widespread adoption of portable storage and digital media players USB Firewire


Emerging threats: endpoint security: Emerging threats: endpoint security Widespread adoption of portable storage and digital media players USB Firewire Wireless trend in peripherals & secondary components Bluetooth 802.11


Emerging threats: endpoint security: Emerging threats: endpoint security Widespread adoption of portable storage and digital media players USB Firewire Wireless trend in peripherals & secondary components Bluetooth 802.11 Bottom line: Network security strategies do nothing to protect against devices connected inside of your enterprise network.


Evolution of security threats: Evolution of security threats


Computing capacity vs. human skill: Computing capacity vs. human skill The rate that computing power increases is vastly greater than the rate that computer users achieve new understanding.


Information security: new solutions: Information security: new solutions Comprehensive policies that account for portable computing devices, wireless computing, and a mobile workforce User awareness of security issues and policies Technical solutions that mitigate access of storage and communication devices at the endpoint


5 Point strategy to remain secure: 5 Point strategy to remain secure Assess your technology environment Adapt your security policy Have a user awareness plan Put your policies and procedures into action Assess effectiveness and revise your policy


Strategy #1: Assess your technology environment: Strategy #1: Assess your technology environment At a minimum define: Critical information and information systems System owners System users: employees contractors business partners Most likely vulnerabilities and threats to endpoint security


Strategy #2: Revise your security policy: Strategy #2: Revise your security policy At a minimum, revise these two areas: Corporate acceptable use policy Use of personal computing devices: USB storage Bluetooth peripherals Personal media players (e.g. iPod) PDAs Optical drives Multi-function phones


Strategy #3: User awareness: Strategy #3: User awareness Inform users of security issues and their responsibilities through awareness initiatives training education References: NIST 800-50 “Building an Information Technology Security Awareness and Training Program” NIST Awareness, Training, Education http://csrc.nist.gov/ATE/


Strategy #4: Implement your policies and procedures: Strategy #4: Implement your policies and procedures Assign specific responsibilities Deploy required technical solutions


Strategy 4: Assign specific responsibilities: Strategy 4: Assign specific responsibilities Security manager Managers IT staff Employees Contractors Restrict privileges to critical information to those who require it to be productive


Strategy #4: Deploy required technical solutions: Strategy #4: Deploy required technical solutions Based on your internal analysis of vulnerabilities and threats, protect essential data: in active use in active storage in archival storage in transmission


Strategy 4: Example technical solutions: Strategy 4: Example technical solutions


Strategy 4: Example technical solutions: Strategy 4: Example technical solutions (1) Access control, (2) audit activities, (3) detect events in real-time


Strategy #5: Assess effectiveness and revise strategy: Strategy #5: Assess effectiveness and revise strategy All business systems require a feedback loop As your operating context changes, so too will your security solutions If/when you have endpoint security incidents, be sure to revise your policies appropriately


Conclusions: Conclusions We've only witnessed the tip of the iceberg related to data theft Incident prevention is significantly less costly than incident response Addressing the issue at the endpoint provides the best ratio of risk reduction per dollar Tailor the recommended strategies to your organization's business requirements


Slide44: Media Classes Centrally manage and protect networks from threats associated with removable media devices: Data theft Virus and malware propagation Computer misuse.


How DeviceWall Works: Customer Data Intellectual Property Corp. Knowledge Desperate Housewives Viruses Malware How DeviceWall Works


Effective Management Reporting: Effective Management Reporting


DeviceWall 1-minute Overview: DeviceWall 1-minute Overview Measured response to known risk Intuitive and comprehensive auditing Easy policy creation and deployment Effective guard against unwanted device connections Minimal overhead and ongoing cost of ownership Low cost of acquisition Deploy in minutes, update automatically Temporary access tools keeps users productive Communication minimizes calls to helpdesk Intuitive, fast and effective to manage No specialist training required No need for dedicated staff to run Control Center


Technical Specifics: Supported platforms Windows NT, 2000, XP, 2003 Devices managed PDAs, USB memory, MP3 players, PDAs, CompactFlash, optical drives, external hard drives, digital cameras, mobile phones, Firewire ports, Bluetooth ports and more Server Requirements Pentium, 128MB RAM, 512MB Hard Disk Network Requirements MS IIS 5.0+, Active Directory & NT domains supported Technical Specifics


Slide49: We hope that you have enjoyed this presentation on protecting against the future information security threats. To gain additional information, please examine the following resources: www.sharp-ideas.net www.devicewall.com


Program Note: Program Note This webinar is sponsored by Centennial Software. All referenced research is copyrighted 2006 by Sharp Ideas LLC, and/or its affiliates. All rights reserved. Every reasonable attempt has been made to present accurate and reliable information. However, Sharp Ideas LLC disclaims all warranties as to the accuracy, completeness or adequacy of information contained within the webinar. Sharp Ideas LLC shall have no liability for errors, omissions, or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.