Data Security: Where to Begin

0
0
2876 days ago, 885 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

Data Security: Where to Begin? January 12, 2005 Kathleen K. Roberts Principal – MBA, Information Systems kathleen@isecuresolutions.com Sanina Shen Engineer – MS, CISSP, PMP sanina@isecuresolutions.com iSecure Solutions 1611 Arran Way Dresher, PA 19025 (215) 641-1396 (Office) (215) 641-1396 (FAX) www.isecuresolutions.com Copyright [Kathleen K. Roberts] [2005]. This paper is the licensed innovation of the creator. Authorization is conceded for this material to be shared for non-business, instructive purposes, gave that this copyright proclamation shows up on the repeated materials and notice is given that the duplicating is by consent of the creator. To scatter generally or to republish requires composed consent from the creator. Last Presentation V2.W

Slide 2

Agenda Introduction (5 mins.) Review definitions and system Provide bits of knowledge into higher ed Information security patterns Share security rudiments IT Security Policies (10 mins.) Ensure official administration bolster Review generally utilized higher ed arrangements Share a few diverse implementation approaches Vulnerability Assessments (10 mins.) Overview and estimation of appraisals Evaluate and get ready to utilize appraisal instruments Share checking approaches Other Security Topics (10 mins.) Importance of a security mindfulness program Create a business coherence arrange including a CSIRT Examine physical security Conclusion (5 mins.) Be mindful of administrative necessities Begin the voyage

Slide 3

Information Security Definitions Security Triad Confidentiality – guaranteeing that the data is shielded from unapproved and additionally accidental divulgence and utilize. Uprightness – guaranteeing the precision, culmination and unwavering quality of data and frameworks from unapproved and additionally unexpected change. Accessibility – guaranteeing dependability and convenient access to information and assets for approved clients.

Slide 4

Information Security Framework

Slide 5

Security Trends in Higher Education Information Security Beginning to See: Establishment of a University Information Security Office Hiring of a University Information Security Officer Activities Underway by Information Security Office: Development of security strategy Implementation of security engineering Monitoring of security Formal occurrence reaction procedures and formation of CSIRT Development of security mindfulness and preparing programs

Slide 6

Security Trends in Higher Education (proceeded with) Characteristics of Leading Information Security Colleges and Universities: View data security as a noteworthy open door for administration Implementing security arrangements, methods and rules Conducting institutional hazard appraisals all the time Investing in staff and apparatuses Increasing "people group" mindfulness with progressing preparing Designing, creating and sending secure correspondence and data frameworks Inserting classification and protection dialect in seller contract reports Requiring secure items from merchants

Slide 7

Security Basics Engage official initiative - support, assets and correspondence Select a standard as benchmark in light of industry best practices The ISO 17799 Standard ( www.iso17799-web.com ) ISSA-GAISP (Information System Security Association-Generally Accepted Information Security Principles) Baseline your foundation's security stance and preparation Evaluate security strategies against industry guidelines Conduct defenselessness appraisal sweeps and re-test frequently Determine the security gauges for your association i.e. account obstructed after 3 fizzled sign in endeavors, passwords changed like clockwork Examine the physical security circumstance Formalize episode reaction methodology Create and direct security training and mindfulness classes Start up and bolster a data security learning group

Slide 8

Agenda Introduction (5 mins.) Review definitions and system Provide bits of knowledge into higher ed Information security patterns Share security nuts and bolts IT Security Policies (10 mins.) Ensure official authority bolster Review ordinarily utilized higher ed arrangements Share a few diverse authorization approaches Vulnerability Assessments (10 mins.) Overview and estimation of appraisals Evaluate and get ready to utilize appraisal instruments Share checking approaches Other Security Topics (10 mins.) Importance of a security mindfulness program Create a business congruity arrange including a CSIRT Examine physical security Conclusion (5 mins.) Be mindful of administrative necessities Begin the excursion

Slide 9

Executive Leadership Support of Security Policies and Program Engage initiative – CIO, president and executive Areas where support is crucial Budget for general security program Security work force Enforcement of strategies Incident reaction contribution and coordination Ensure consideration into higher ed mission and key arrangement Educate on significance and requirement for security program Statistics of security ruptures and developing perceivability Federal and state control Institution's notoriety Provide reports all the time Establish standard status gatherings Provide continuous reports and give included esteem data

Slide 10

Basic Information Security Policy Inventory for Higher Education Key: H=High Usage by College & Univ., M=Medium Usage by College & Univ,, * =Covered in Appropriate Use Policy

Slide 11

Policy Enforcement Approaches Unlike corporate or government segments, advanced education requires a more sensitive adjust to viably implement approaches: Fear of being gotten and discipline Clearly convey results of strategy infringement in understudy, staff and personnel handbooks Include arrangement prerequisites in organization's implicit rules to acquire ID Post notices on sites and introduce perception innovation Use of existing innovation Require secure watchword with particular necessities for system get to Use online test requiring perusing of basic indicates in handbook get account Usage necessity Incorporate strategy prerequisites into system get to utilization assentions Embarrassment by affiliation - distribute rundown of wrongdoers Post on site or in daily paper

Slide 12

Agenda Introduction (5 mins.) Review definitions and structure Provide experiences into higher ed Information security patterns Share security fundamentals IT Security Policies (10 mins.) Ensure official authority bolster Review regularly utilized higher ed strategies Share a few distinctive implementation approaches Vulnerability Assessments (10 mins.) Overview and estimation of appraisals Evaluate and get ready to utilize evaluation apparatuses Share filtering approaches Other Security Topics (10 mins.) Importance of a security mindfulness program Create a business coherence arrange including a CSIRT Examine physical security Conclusion (5 mins.) Be mindful of administrative necessities Begin the adventure

Slide 13

Overview of Vulnerability Assessments Definition: Vulnerability administration is the revelation of shortcomings in a security profile, the assurance of the hazard and the end of these deformities to lessen the window of chance in which an adventure could affect the foundation. Center of Vulnerability Assessments Identify vulnerabilities in key assets Determine satisfactory hazard Fix shortcomings before aggressor code can be created to abuse the powerlessness "The Laws of Vulnerabilities" per Gerhard Eschelbeck, CTO of Qualys Half-Life: The half-existence of basic vulnerabilities is 30 days and duplicates with bringing down degrees of seriousness Prevalence: half of the most common and basic vulnerabilities are being supplanted by new vulnerabilities on a yearly premise Persistence: The life expectancy of a few vulnerabilities is boundless Exploitation: 80% of defenselessness adventures are accessible inside 60 days of the weakness discharge

Slide 14

Sample of Network Vulnerability Assessment High Level Summary Findings

Slide 15

Summary of Vulnerabilities

Slide 16

Detailed Scan Results (Part 1)

Slide 17

Detailed Scan Results (Part 2)

Slide 18

Port Scan Results

Slide 19

Value of Vulnerability Assessments Best Practices of Vulnerability Management Classify: organize resources in light of "mission basic" esteem to the organization Measure: decide viability of endeavors by setting objectives of decreased vulnerabilities and quicker alleviation Integrate: incorporate the insight picked up in outputs with other security information Audit: utilize measurements to assess adequacy of endeavors for progressing change Benefit of Conducting Vulnerability Assessments Aids correspondence and encourages basic leadership by coordinating data from different parts of the foundation Enhances efficiency of security group by making a structure, pooling learning and working "in-house" ability Allows security to wind up part of the institutional culture by permitting institutional divisions to take a greater amount of the duty regarding guaranteeing a sufficient and fitting level of security Increase security mindfulness by effectively including a bigger number of people Provides a predictable and quantifiable way to deal with fixing and redesign administration

Slide 20

Vulnerability Assessment Tools To choose the best tool(s) for your establishment, must decide and organize necessities Technical nature of the arrangement including level of rudeness Ease of utilization including deployability Reporting capacities Support including continuous research to keep helplessness database upgraded Price label Evaluate and select "best in class" apparatuses Several merchants we considered: Foundstone - Foundscan Scanner GFI LANguard - Network Security Scanner Internet Security Systems (ISS) - Internet Scanner Nessus – Nessus Scanner Qualys - QualysGuard All devices must be looked into and tried Consider having a few weakness scanners in your tool kit

Slide 21

Vulnerability Assessment Preparation Collect source records Current system engineering graph to under

SPONSORS