logging in or signing up Shawn Tovey Security Roadmap ppt Naples Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1174 Category: News & Reports.. License: All Rights Reserved Like it (1) Dislike it (0) Added: September 14, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Building a Security Roadmap: Building a Security Roadmap Introduction: My Background Company Background Introduction Today’s Discussion: The Business Problem SB 1386 Typical Internet Transaction Security Touch Points andamp; Risks Security Countermeasures SAS 70 Qandamp;A Today’s Discussion The Business Problem: Security Breach Identity theft Costs Public Relations High Profile lawsuits The Business Problem Typical Internet Transaction: Consumer Website – Loan Application Assisted Channel – Loan Officer / Broker Loan Registration andamp; Locking Internet or Intranet Confidential information Social Security # Bank Account #’s Borrower Name andamp; Address Typical Internet Transaction Typical Internet Transaction: Typical Internet Transaction Internet/ Intranet Loan App Loan Lock Database Product/Pricing/Eligibility Engine Credit Repository Security Touch Points: Desktop Threats Internet Threats DMZ/Firewall Threats Webserver / Application Server Threats Database Threats 3rd Party Service Providers Security Touch Points Desktop Threats: Password security Instant Messaging Non –secure connections Email security (inboundandamp;outbound) Wireless connectivity Virus propogation Elevated Application Access Photo Cell Phones Desktop Threats Desktop Countermeasures: Corporate computing policy's Virus Protection End User License Agreements Patch Management Network computing rules/ Policy servers End user education andamp; training Limit controls/need to know application access Desktop Countermeasures Internet Threats: Session hijacking Site Spoofing Social Engineering Internet Threats Internet Countermeasures: HTTPS Leased Lines VPN's IPSec Internet Countermeasures DMZ/Firewall Threats: Denial of Service Port Scanning Firewall hacking DMZ/Firewall Threats DMZ/Firewall Countermeasures: Intrusion detection Cisco IDS, scans for known signatures (port scanning, DOS, authentication attempts) Truesecure Penetration Testing Looking for known vulnerabilities Firewall Web servers FTP servers Site Monitoring – System Health, DOS External – Mercury Interactive Internal – Sitescope Monitoring DMZ/Firewall Countermeasures Webserver/Appserver Threats: Buffer overruns Username/Password Hacking Known vulnerabilities SQL injection Webserver/Appserver Threats Webserver/Appserver Countermeasures: HTTPS 128 bit Verisign SSL Server Certificates (40 bit is less expensive, also less secure) Secure FTP services (‘Secure FTP’ product name) Identify Management – storing authentication credentials in secure format (SiteMinder, ActiveDirectory, SiteServer, Commerce Server, etc.) Single Signon Application Intrusion Detection Account lockout Policy (ie, 6x, lockout for 3min) IP Blacklisting Web log monitoring Application field level edits Webserver/Appserver Countermeasures Database Server Threats: Buffer overruns Username/Password Hacking Known vulnerabilities Database Server Threats Database Server Countermeasures: Store sensitive information encrypted Read Only accounts Remove sensitive information from logs Database Server Countermeasures 3rd Party Service Provider Threats: Repudiation – being able to prove who requested transaction 3rd Party Service Provider Threats 3rd Party Service Provider Countermeasures: Client side certificates Private Leased Lines VPN/IPSEC 3rd Party Service Provider Countermeasures SAS 70 Certification: SAS 70 Overview Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion ('Service Auditor's Report') is issued to the service organization at the conclusion of a SAS 70 examination SAS 70 Certification SAS 70 Certification: Type I Audit – Independent service auditor's report (i.e. opinion) andamp; description of controls. Type II Audit – Includes a description of the service auditor's tests of operating effectiveness and the results of those tests SAS 70 Certification Q&A: Qandamp;A You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Shawn Tovey Security Roadmap ppt Naples Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 1174 Category: News & Reports.. License: All Rights Reserved Like it (1) Dislike it (0) Added: September 14, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Building a Security Roadmap: Building a Security Roadmap Introduction: My Background Company Background Introduction Today’s Discussion: The Business Problem SB 1386 Typical Internet Transaction Security Touch Points andamp; Risks Security Countermeasures SAS 70 Qandamp;A Today’s Discussion The Business Problem: Security Breach Identity theft Costs Public Relations High Profile lawsuits The Business Problem Typical Internet Transaction: Consumer Website – Loan Application Assisted Channel – Loan Officer / Broker Loan Registration andamp; Locking Internet or Intranet Confidential information Social Security # Bank Account #’s Borrower Name andamp; Address Typical Internet Transaction Typical Internet Transaction: Typical Internet Transaction Internet/ Intranet Loan App Loan Lock Database Product/Pricing/Eligibility Engine Credit Repository Security Touch Points: Desktop Threats Internet Threats DMZ/Firewall Threats Webserver / Application Server Threats Database Threats 3rd Party Service Providers Security Touch Points Desktop Threats: Password security Instant Messaging Non –secure connections Email security (inboundandamp;outbound) Wireless connectivity Virus propogation Elevated Application Access Photo Cell Phones Desktop Threats Desktop Countermeasures: Corporate computing policy's Virus Protection End User License Agreements Patch Management Network computing rules/ Policy servers End user education andamp; training Limit controls/need to know application access Desktop Countermeasures Internet Threats: Session hijacking Site Spoofing Social Engineering Internet Threats Internet Countermeasures: HTTPS Leased Lines VPN's IPSec Internet Countermeasures DMZ/Firewall Threats: Denial of Service Port Scanning Firewall hacking DMZ/Firewall Threats DMZ/Firewall Countermeasures: Intrusion detection Cisco IDS, scans for known signatures (port scanning, DOS, authentication attempts) Truesecure Penetration Testing Looking for known vulnerabilities Firewall Web servers FTP servers Site Monitoring – System Health, DOS External – Mercury Interactive Internal – Sitescope Monitoring DMZ/Firewall Countermeasures Webserver/Appserver Threats: Buffer overruns Username/Password Hacking Known vulnerabilities SQL injection Webserver/Appserver Threats Webserver/Appserver Countermeasures: HTTPS 128 bit Verisign SSL Server Certificates (40 bit is less expensive, also less secure) Secure FTP services (‘Secure FTP’ product name) Identify Management – storing authentication credentials in secure format (SiteMinder, ActiveDirectory, SiteServer, Commerce Server, etc.) Single Signon Application Intrusion Detection Account lockout Policy (ie, 6x, lockout for 3min) IP Blacklisting Web log monitoring Application field level edits Webserver/Appserver Countermeasures Database Server Threats: Buffer overruns Username/Password Hacking Known vulnerabilities Database Server Threats Database Server Countermeasures: Store sensitive information encrypted Read Only accounts Remove sensitive information from logs Database Server Countermeasures 3rd Party Service Provider Threats: Repudiation – being able to prove who requested transaction 3rd Party Service Provider Threats 3rd Party Service Provider Countermeasures: Client side certificates Private Leased Lines VPN/IPSEC 3rd Party Service Provider Countermeasures SAS 70 Certification: SAS 70 Overview Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS 70 audit or examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SAS No. 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A SAS 70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion ('Service Auditor's Report') is issued to the service organization at the conclusion of a SAS 70 examination SAS 70 Certification SAS 70 Certification: Type I Audit – Independent service auditor's report (i.e. opinion) andamp; description of controls. Type II Audit – Includes a description of the service auditor's tests of operating effectiveness and the results of those tests SAS 70 Certification Q&A: Qandamp;A