1Copyright © 2002 M. E. Kabay. All rights reserved.

Information Security on a

Budget: Where to Invest First

M. E. Kabay, PhD, CISSP

Assoc. Prof. Information Assurance

Dept. Computer Information Systems

Norwich University, Northfield, VTmkabay@norwich.edu

http://www2.norwich.edu/mkabay/index.htm

2Copyright © 2002 M. E. Kabay. All rights reserved.

Topics

Policy, Power & PositionTraining and AwarenessHiring, Management and FiringSystem AdministrationSecurity Evaluations

3Copyright © 2002 M. E. Kabay. All rights reserved.

Policy, Power & Position

Policies must be living documentsAssign responsibility for securityCISO as equal of CEO, CFO. . . Status must not equal accessCompliance depends on top-level support

4Copyright © 2002 M. E. Kabay. All rights reserved.

Training and Awareness

Training and awareness are not single eventsSocial engineering can be fought only by

awareness and preparationConstant learning is essential

Formal courses & conferencesWeb-based coursesFree resources on WebTextbooks, magazinesVideofilms and DVDsIn-house courses from experts

5Copyright © 2002 M. E. Kabay. All rights reserved.

Hiring, Management and Firing

HiringCheck background carefullyHave candidates interviewed by future

colleaguesManagement

Sensitive to changes in behaviorEnforce vacations

FiringShut down accessRetrieve corporate property

6Copyright © 2002 M. E. Kabay. All rights reserved.

System Administration

Establish Effective Security ConfigurationsMaintain SoftwareDetect Security BreachesRespond Intelligently to Incidents

7Copyright © 2002 M. E. Kabay. All rights reserved.

Establish Effective Security Configurations

Default configurations often inadequateFirewalls need to implement thought-out

policyNetwork topology should reflect needs for

data partitionAdapt network security to changing needsEvaluate anti-DDoS tools

8Copyright © 2002 M. E. Kabay. All rights reserved.

Maintain Software

Single most important problem: known vulnerabilities

Consult or subscribe to alertsCERT/CC http://www.cert.orgBundesammt für Sicherheit in der

Informationstechnik (BSI) http://www.bsi.bund.de/

Common Vulnerabilities and Exposures Database (CVE) ICAT Metabase http://icat.nist.gov/icat.cfm

9Copyright © 2002 M. E. Kabay. All rights reserved.

BSI

http://www.bsi.bund.de/

10Copyright © 2002 M. E. Kabay. All rights reserved.

ICAT / CVE

http://icat.nist.gov/icat.cfm

11Copyright © 2002 M. E. Kabay. All rights reserved.

Detect Security Breaches

Quick response is valuable and economical Intrusion detection systems (IDS)

Not cheapLearn / define normal patternsIdentify anomaliesAllow human response

Total cost of acquisition, tuning and management can be high

But cost of undetected & uncontrolled penetration can be higher

12Copyright © 2002 M. E. Kabay. All rights reserved.

Respond Intelligently to Incidents IDS useless without effective response plan

Computer Emergency Response TeamAlso known as Incident Response Team

Complex and expensive planningInvolvement from throughout organizationMost experienced personnel essential

Link CERT/IRT to DRP and BCPDRP = disaster recovery planBCP = business continuity plan

May choose to use honeypotsSystem to delay intruder, study behavior

13Copyright © 2002 M. E. Kabay. All rights reserved.

Security EvaluationsDeveloping security policies may be too hard

Use existing guidesMay use external help to reduce time spent

by expensive employeesChecking security may be best done by

outsidersEditing text is best done by someone elseChecking program source code is best

done by another programmerNeed to find trustworthy experts

Beware those who hire criminal hackersShould test only after development &

training

14Copyright © 2002 M. E. Kabay. All rights reserved.

DISKUSSION