2015-03-24 IT Security - What You Need to Know
0 likes243 views
The document discusses IT security best practices for organizations. It covers assessing security vulnerabilities through vulnerability mapping and penetration testing. Common vulnerabilities discussed include open ports, outdated software and antivirus, and weak authentication processes. The document also covers privacy laws and data breach notification requirements. Maintaining strong security requires treating it as a business decision by understanding risk and prioritizing remediation of the most serious issues.
2015-03-24 IT Security - What You Need to Know
- 1. Thrive. Grow. Achieve. IT Security – What You Need to Know Nate Solloway, CEH, CSA March 24. 2014
- 2. WHAT’S ON TAP? • Passing the Security Portion of Your Financial Audit • Assessing Security Vulnerabilities • Security in the Cloud • Privacy Laws • Q&A 2
- 3. WHO’S A CFO? RAISE YOUR HAND 3 Computer Operations Are system and application data backed up? What is the frequency? How and where are the backups stored? What is the frequency in which backups are tested? What restrictions are placed, if any, to access to the computer room and any computer equipment, telecommunication equipment and data files?
- 4. To what extent is the computer room and any computer equipment, telecommunication equipment and data files protected from environmental hazards? To what extent are security management practices in place to support the IT functions and infrastructure? How are modifications to user access privileges performed and authorized? How is IT security monitored? To what extent are logs of security activity created and maintained? Are User IDs and passwords used for individual user authentication to gain access to the company applications and financial systems? Do user passwords require strong complexity controls (i.e.: length, expiration, history, sessions, timeouts, and special restrictions). Does the client have access to the source code for any accounting system modifications made for them? 4
- 5. ASSESSING VULNERABILITIES 5 VULNERABILITY MAPPING VS. PENETRATION TESTING TOOLS ARE AWESOME, BUT…. AUTOMATED SCRIPTS, FALSE POSITIVES HOW MUCH INTELLIGENCE DO YOU NEED?
- 6. HOW THE BAD GUYS EXPLOIT THEM 6
- 9. BUT EXPLOITING IS HARD, RIGHT? 9
- 10. COMMON VULNERABILITIES 10 OPEN PORTS PEOPLE LAZY SOFTWARE PATCHING PEOPLE OUT DATE AV/IDS PEOPLE LAZY PROCESSES FOR CRITICAL AUTHENTICATION (BANKS, TRANSFERS) PEOPLE
- 11. CLIENT SIDE VULNERABILITIES CLIENT SIDE VULNERABILITIES ARE NOT ALWAYS EASY TO IDENTIFY. SOME COMMON CLIENT SIDE ATTACK AGENTS INCLUDE: - ADOBE READER - WINZIP - ITUNES - INTERNET EXPLORER - FIREFOX - SAFARI - ADOBE FLASH PLAYER 11
- 12. WHAT IS PENETRATION TESTING? BLACK BOX - APPROACHING THINGS JUST LIKE AN UNIFORMED ATTACKER - REQUIRES NO REVELATION OF SECURITY WHITE BOX - USING KNOWLEDGE OF THE SYSTEMS TO ELABORATE TEST CASES - PROVIDES AS MUCH INFORMATION AS POSSIBLE TO THE PENETRATION TEST TO THAT THEY CAN GAIN INSIGHT AND CREATE TESTS HOST BASED ASSESSMENTS - MAKE A COPY OF YOUR SERVERS. TEST ON THEM WITH FULL ACCESS LOOKING FOR VULNERABILITIES 12
- 13. WHAT DOES A REPORT DELIVER? A SECURITY ASSESSMENT DELIVERS A REPORT THAT • HELPS EXECUTIVES MAKE DECISIONS ON IMPLEMENTING SECURITY CONTROLS • HELP THE IT TEAM IMPLEMENT CONTROLS AND PATCH FLAWS DISCOVERED DURING TESTING • LOW • MED • HIGH • SERIOUS • CRITICAL 13
- 14. SECURITY IS A BUSINESS DECISION 14
- 15. RISK IS A BUSINESS DECISION 15
- 17. PRIVACY (GAPP) PERSONAL INFORMATION COLLECTED ON EMPLOYEES • NAME • ADDRESS • PHONE NUMBERS • SOCIAL SECURITY NUMBER • BANK ACCOUNT AND ROUTING NUMBERS. 17
- 18. EXTERNAL DATA COLLECTION NAMES • ADDRESSES OR GEOGRAPHIC IDENTIFIERS SMALLER THAN A STATE • PHONE NUMBERS • FAX NUMBERS • EMAIL ADDRESSES • SOCIAL SECURITY NUMBERS • CREDIT CARD ACCOUNT NUMBERS • WEB ADDRESSES • PHOTOGRAPHIC IMAGES 18
- 19. WHAT’S A BREACH? FIRST NAME OR FIRST INITIAL AND LAST NAME IN COMBINATION WITH ANY OF THE FOLLOWING • SOCIAL SECURITY NUMBER • HOME ADDRESS • EMAIL ADDRESS • PHONE NUMBERS • CREDIT CARD ACCOUNT NUMBERS 19
- 20. INCIDENTS REQUIRING NOTIFICATION • A USER (EMPLOYEE, CONTRACTOR OR THIRD PARTY PROVIDER) HAS OBTAINED UNAUTHORIZED ACCESS TO PERSONAL INFORMATION MAINTAINED IN EITHER PAPER OR ELECTRONIC FORM • AN INTRUDER HAS ACCESSED DATABASE(S) SUCH AS THAT CONTAIN PERSONAL INFORMATION ON AN INDIVIDUAL. • COMPUTER EQUIPMENT SUCH AS A WORKSTATION, LAPTOP, CD- ROM OR OTHER ELECTRONIC MEDIA CONTAINING PERSONAL INFORMATION ON AN INDIVIDUAL HAS BEEN LOST OR STOLEN. • A DEPARTMENT OR UNIT HAS NOT PROPERLY DISPOSED OF RECORDS CONTAINING PERSONAL INFORMATION ABOUT AN INDIVIDUAL. • A THIRD-PARTY SERVICE PROVIDER HAS EXPERIENCED ANY OF THE INCIDENTS ABOVE, AFFECTING THE ORGANIZATION’S DATACONTAINING PERSONAL INFORMATION. 20
- 22. 22 MINIMIZING OPEN PORTS - FEWER SERVICES? - MAYBE THE CLOUD PEOPLE - LET’S GET BACK TO THIS ONE AGGRESSIVE SOFTWARE PATCHING - SERVERS - WORKSTATIONS - APPS AV VS IDS AUTHENTICATION PEOPLE
- 23. QUESTIONS? 23 Seth Zarny – Partner szarny@raffa.com Nate Solloway – Manager nsolloway@raffa.com