1 copyright © 2002 m. e. kabay. all rights reserved. information security on a budget: where to...
TRANSCRIPT
![Page 1: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/1.jpg)
1Copyright © 2002 M. E. Kabay. All rights reserved.
Information Security on a
Budget: Where to Invest First
M. E. Kabay, PhD, CISSP
Assoc. Prof. Information Assurance
Dept. Computer Information Systems
Norwich University, Northfield, [email protected]
http://www2.norwich.edu/mkabay/index.htm
![Page 2: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/2.jpg)
2Copyright © 2002 M. E. Kabay. All rights reserved.
Topics
Policy, Power & PositionTraining and AwarenessHiring, Management and FiringSystem AdministrationSecurity Evaluations
![Page 3: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/3.jpg)
3Copyright © 2002 M. E. Kabay. All rights reserved.
Policy, Power & Position
Policies must be living documentsAssign responsibility for securityCISO as equal of CEO, CFO. . . Status must not equal accessCompliance depends on top-level support
![Page 4: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/4.jpg)
4Copyright © 2002 M. E. Kabay. All rights reserved.
Training and Awareness
Training and awareness are not single eventsSocial engineering can be fought only by
awareness and preparationConstant learning is essential
Formal courses & conferencesWeb-based coursesFree resources on WebTextbooks, magazinesVideofilms and DVDsIn-house courses from experts
![Page 5: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/5.jpg)
5Copyright © 2002 M. E. Kabay. All rights reserved.
Hiring, Management and Firing
HiringCheck background carefullyHave candidates interviewed by future
colleaguesManagement
Sensitive to changes in behaviorEnforce vacations
FiringShut down accessRetrieve corporate property
![Page 6: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/6.jpg)
6Copyright © 2002 M. E. Kabay. All rights reserved.
System Administration
Establish Effective Security ConfigurationsMaintain SoftwareDetect Security BreachesRespond Intelligently to Incidents
![Page 7: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/7.jpg)
7Copyright © 2002 M. E. Kabay. All rights reserved.
Establish Effective Security Configurations
Default configurations often inadequateFirewalls need to implement thought-out
policyNetwork topology should reflect needs for
data partitionAdapt network security to changing needsEvaluate anti-DDoS tools
![Page 8: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/8.jpg)
8Copyright © 2002 M. E. Kabay. All rights reserved.
Maintain Software
Single most important problem: known vulnerabilities
Consult or subscribe to alertsCERT/CC http://www.cert.orgBundesammt für Sicherheit in der
Informationstechnik (BSI) http://www.bsi.bund.de/
Common Vulnerabilities and Exposures Database (CVE) ICAT Metabase http://icat.nist.gov/icat.cfm
![Page 9: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/9.jpg)
9Copyright © 2002 M. E. Kabay. All rights reserved.
BSI
http://www.bsi.bund.de/
![Page 10: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/10.jpg)
10Copyright © 2002 M. E. Kabay. All rights reserved.
ICAT / CVE
http://icat.nist.gov/icat.cfm
![Page 11: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/11.jpg)
11Copyright © 2002 M. E. Kabay. All rights reserved.
Detect Security Breaches
Quick response is valuable and economical Intrusion detection systems (IDS)
Not cheapLearn / define normal patternsIdentify anomaliesAllow human response
Total cost of acquisition, tuning and management can be high
But cost of undetected & uncontrolled penetration can be higher
![Page 12: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/12.jpg)
12Copyright © 2002 M. E. Kabay. All rights reserved.
Respond Intelligently to Incidents IDS useless without effective response plan
Computer Emergency Response TeamAlso known as Incident Response Team
Complex and expensive planningInvolvement from throughout organizationMost experienced personnel essential
Link CERT/IRT to DRP and BCPDRP = disaster recovery planBCP = business continuity plan
May choose to use honeypotsSystem to delay intruder, study behavior
![Page 13: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/13.jpg)
13Copyright © 2002 M. E. Kabay. All rights reserved.
Security EvaluationsDeveloping security policies may be too hard
Use existing guidesMay use external help to reduce time spent
by expensive employeesChecking security may be best done by
outsidersEditing text is best done by someone elseChecking program source code is best
done by another programmerNeed to find trustworthy experts
Beware those who hire criminal hackersShould test only after development &
training
![Page 14: 1 Copyright © 2002 M. E. Kabay. All rights reserved. Information Security on a Budget: Where to Invest First M. E. Kabay, PhD, CISSP Assoc. Prof. Information](https://reader036.vdocuments.us/reader036/viewer/2022082917/55147292550346414e8b6165/html5/thumbnails/14.jpg)
14Copyright © 2002 M. E. Kabay. All rights reserved.
DISKUSSION