SlideShare ist ein Scribd-Unternehmen logo
1 von 29
Downloaden Sie, um offline zu lesen
Improving Your Security…For FREE
          Stephen Marchewitz
                 CSO
              SecureState


          The CIO Circle July 8, 2009




                                        1
What’s the catch?



Sorry, you’re going to have to Think….

   ―Thinking is the hardest work there is…that’s why so few
    people do it. ― – Henry Ford

…And Do…

   ―The only place where success comes before work is in
    the dictionary.‖ –Donald Kendall




                           Copyright 2009 SecureState                   2
About me


Stephen Marchewitz

   – B.A. The University of Michigan
       Business Communications and Statistics
   – M.B.A. Case Western Reserve University
       Management Information Systems and Finance
   – Ten+ years experience and progressive responsibility in
     multiple facets of information systems with specific expertise
     in information assurance
   – SecureState LLC, CSO, 4 Years
   – Past Experience
       • Oracle Corporation, Security Service Manager
       • Computer Associates Inc., Senior Security Consultant
       • Ernst & Young, LLP, Management Consultant


                            Copyright 2009 SecureState                 3
SecureState Overview



• Ohio Based Company                    CISSP – Certified Information Systems Security
   – Founded 2001                       CISM – Certified Information Security Manager
                                        CISA – Certified Information Systems Auditor
                                        QDSP – Qualified Data Security Professional
• 40 Security Professionals             GSEC – SANS GIAC Security Essentials
                                        NSA INFOSEC Assessment Methodology (IAM)
                                        Forensics – NTI, EnCase
• Information Assurance &               ANSI X9/TG-3
  Protection

• Audit and business
  background (Big X)

• Experts in ethical hacking
  across many specialized
  areas

                              Copyright 2009 SecureState                             4
SecureState Overview


Audit and Compliance
  • PCI (Payment Card Industry)
  • ISO 27001/SAS 70
  • SOX, GLBA etc.
  • TG-3, NERC/CIP
  • INFOSEC (Information System Security Risk Assessment)
Profiling and Attack
  • Web Application Security (WAS)
  • Attack and Penetration Services (internal, external, client, physical, wireless)
  • Wireless Audits
  • Architecture Reviews
  • Zero-Day Research
  • Training
Risk Management
  • Security Program Manager (SPM)
  • StateScan
  • SecureTime
  • Virtual Compliance Officer (VCO)
Forensic Technology Solutions
  • Data Forensics/Incident Response
  • Reverse Engineering
  • Expert Testimony
                                    Copyright 2009 SecureState                         5
We have no budget! – Get them to care




•   FUD – Fear, Uncertainty and Doubt only works a little bit and
    I never (rarely) use it.
•   That said, never underestimate the power of a good ―breach‖ story.
•   Find a compelling event
•   Use assessments and testing
•   Get someone outside your organization to say the same thing you say to
    your execs…they’ll be more likely to listen

•   Learn to love to say the same thing over…and over…and over…
    and over...




                             Copyright 2009 SecureState                 6
Get it done through Regulations



• By the way Mr. CEO, we’re not
  PCI compliant

• You do know that if there is a breach, our
  state has data breach disclosure laws

• SOX and the SAS now state that audit
  firms must sign off on the security of
  the systems

• We don’t have to be compliant, but our
  customer is saying we do


                              Copyright 2009 SecureState                      7
Get the Bullies on your side



•   Work with Audit
•   Learn what they’re trying to achieve
•   You will never be good enough
•   Report, report, report




• Do you know what the problems are?

• Do you have a plan to fix them?

                            Copyright 2009 SecureState                           8
Don’t Hold Risk



• You don’t get paid enough to hold the risk of the organization

• Offload it to the board and/or other executive management,
  i.e. let them sign off

• Your job is to:
   – Identify risk (through assessments)
   – Recommend remediation
   – Provide assistance in remediation management




                           Copyright 2009 SecureState    9              9
Make Risk Reduction Simple




Copyright 2009 SecureState                         10
Assess. Build. Rinse. Repeat.




Assessments (checks) are the best
route to understand the current
state of your program

Assessments ―get the wheel turning‖

You don’t/can’t know what you’re
doing in security if you’re not
checking first.

You can enhance your credibility
by putting it into terms the business
can understand


                                                   11            11
Get advice




Copyright 2009 SecureState            12
Refer to a Framework



NIST – www.csrc.nist.gov/publications/PubsSPs.html
Special Publications in the 800 series present documents of general
   interest to the computer security community
   NIST 800-53 Security Controls for Federal Information Systems and
   Organizations

ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100)
THE ISO 27001 and ISO 27002 TOOLKIT




                          Copyright 2009 SecureState                      13
Inventory and Classify your Assets



• Do you know everything you have?

• Have you assigned a value to your assets?

• There is a reason you don’t have an armed guard covering
  petty cash

• Make sure the level of protection is commensurate with the value




                          Copyright 2009 SecureState                    14
Simulate a breach, incident, or disaster



• Set up a meeting with all parties involved to pretend we’ve just had a
  Breach (or Disaster)

    –   Who needs to be in there?
    –   What needs to happen?
    –   Worst case
    –   What do we have to do to facilitate
        a forensic investigation?
         • Logging
         • Data flows
         • Network Diagrams
         • Monitoring


                            Copyright 2009 SecureState                 15
Question Products




• Companies are always looking to slam a $40k appliance in to solve
  the world for them. Unfortunately this doesn’t work.

• Detecting viruses, malware, and threats goes into a formalized
  security program that is constantly tested. Penetration tests are
  excellent methods in identifying deficiencies within the current
  security program.




                           Copyright 2009 SecureState                 16
A product example – reshifting budget to get more

Antivirus:
Anti-virus is typically thought of as a first line of defense for
 detecting a potential outbreak, malware, or viruses.

   Anti-virus companies market that they are the end-all-be-all and
    can catch anything out there.

   It’s estimated that 70% of all malware is currently NOT being
    detected by anti-virus.

   The truth: No longer a defensible position against attackers.

   There are now products that combine zero-update attack
    protection, data loss prevention, and signature-based antivirus,
    reducing cost (upkeep, etc.) and increasing effectiveness.
                               Copyright 2009 SecureState              17
Check out Great Sources



CIS Benchmarks –
The CIS Benchmarks are the consensus best practice security
   configuration standards both developed and accepted by government,
   business, industry, and academia
   (http://www.cisecurity.org/benchmarks.html)

Payment Card Industry (PCI) Data Security Standard –
Free audit standards
https://www.pcisecuritystandards.org/

OWASP – Open Web Application Security Standard
www.owasp.org The defacto standard for Web Application Security


―Information Security Policies Made Easy‖ –
Policy book by Charles Cresson Woods ($800)


                           Copyright 2009 SecureState                         18
Build Awareness



• Build awareness programs, consistency, ease, available, etc.

• However the main message is: ―Don’t be stupid!‖

• Social Engineering
   – Have someone from another office, (or your nephew, grandma,
     buddy, etc.) try to social engineer your company
   – Tell everyone the stories (e-mail, new hire training, etc.)




                          Copyright 2009 SecureState               19
Free but…



• Utilize free tools if you have to

• Some exceptions, but generally it makes more sense to just get
  someone else to do it




                            Copyright 2009 SecureState             20
Utilize Free Tools



MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal
   question: How safe it my IT infrastructure? The advisor checks systems for common
   misconfigurations and missing security updates, then makes recommendations for improving
   safeguards in accordance with Microsoft security standards.

Nessus: This product is considered to be one of the best vulnerability scanners available at any price
   — and it happens to be free. The tool explores and maps network systems for potential
   weaknesses that could provide an open door to attackers. The Nessus client is compatible with all
   Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows.

AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook
   and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3
   and SMTP protocols.

Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan
    horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the
    most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250
    million downloads so far.

Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network
    troubleshooting, analysis, software and protocol development. The tool is compatible with popular
    computing platforms, including Windows, Unix and Linux.
                                                          *courtesy (mostly from) itsecurity.com



                                        Copyright 2009 SecureState                                         21
Utilize Free Tools



Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows
     you to identify potential security flaws within your wireless environments. It also helps you detect
     rogue access points, and test your overall security implementations.

MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible
    MailWasher promises to filter and block spam messages while allowing legitimate email to pass
    through unimpeded. And it won't cost you a nickel.

Karen's Replicator: Since even the most security-conscious business will need to restore data at some
    point, frequent and comprehensive backups are a vital part of any security strategy. Karen's
    Replicator can copy files and folders to a backup storage device on either a manual or scheduled
    basis. The program can also distribute files across a network and automatically restore damaged
    or changed files on a Web server.

Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol
   analyzer that enables users to passively detect or actively block various kinds of probes and
   attacks. The software's detection capabilities include stealth port scans, operating-system
   fingerprinting attempts, buffer overflows and application attacks.

GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the
   auspices of the Free Software Foundation's software project. GnuPG can be combined with front
   ends that supply compatibility with virtually any operating system — past or present.




                                        Copyright 2009 SecureState                                          22
Utilize Free Hacker Tools



• Back|Track Live Security Distribution
   – Back|Track is the number one security distribution.
   – Place CD in computer, reboot, full-fledged hacker environment
     with the latest and greatest hacker tools.




                          Copyright 2009 SecureState                           23
Utilize Open-Source Tools



•   Fast-Track
     – Exploitation framework created by David Kennedy at SecureState
     – Used to effectively test security and exploit vulnerabilities
•   Metasploit
     – Most popular open-source exploitation framework




                                Copyright 2009 SecureState                       24
Utilize Free Forensic Tools



• DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu
  Linux-based Computer Forensics live CD.
   – It is designed to meet
     police, investigators,
     system administrator
     and Computer
     Forensics specialist’s
     needs
   – http://www.deftlinux.net/




                          Copyright 2009 SecureState                        25
Utilize Free Forensic Tools



• Helix3 Live CD
   – http://www.e-fense.com/helix3-download.php
   – Contains multiple open source forensic tools




                         Copyright 2009 SecureState                        26
Utilize Free Forensic Tools



• Forensic Live CD
   – http://www.forensiclivecd.com




                         Copyright 2009 SecureState                        27
Summary of biggest mistakes we see



In general, organizations don’t do enough of the following:

• Relay risk to upper management

• Ask for help on things they have no idea about

• Assess

• Build consistent, repeatable processes

• Take the time to think it through



                           Copyright 2009 SecureState             28
Thank you!




―Never sacrifice opportunity for security!‖




                Questions?




             Copyright 2009 SecureState            29

Weitere ähnliche Inhalte

Was ist angesagt?

IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsAndrew S. Baker (ASB)
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaborationcentralohioissa
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergySec
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesPeter Wood
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security LandscapePeter Wood
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...centralohioissa
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationTI Safe
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesHinne Hettema
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouDenim Group
 

Was ist angesagt? (20)

IT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and ToolsIT Security Management -- People, Procedures and Tools
IT Security Management -- People, Procedures and Tools
 
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Helen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry CollaborationHelen Patton - Cross-Industry Collaboration
Helen Patton - Cross-Industry Collaboration
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Emerging Threats and Attack Surfaces
Emerging Threats and Attack SurfacesEmerging Threats and Attack Surfaces
Emerging Threats and Attack Surfaces
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
The Cloud Security Landscape
The Cloud Security LandscapeThe Cloud Security Landscape
The Cloud Security Landscape
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
YBB-NW-distribution
YBB-NW-distributionYBB-NW-distribution
YBB-NW-distribution
 
CEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop PresentationCEBIT 2013 - Workshop Presentation
CEBIT 2013 - Workshop Presentation
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
PCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red HatPCM Vision 2019 Breakout: IBM | Red Hat
PCM Vision 2019 Breakout: IBM | Red Hat
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Social Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell YouSocial Networks and Security: What Your Teenager Likely Won't Tell You
Social Networks and Security: What Your Teenager Likely Won't Tell You
 

Andere mochten auch

Health hazards to livestock Allah Dad Khan
Health hazards to livestock Allah Dad KhanHealth hazards to livestock Allah Dad Khan
Health hazards to livestock Allah Dad KhanMr.Allah Dad Khan
 
Planlægning og styring af anlægsprojekter
Planlægning og styring af anlægsprojekterPlanlægning og styring af anlægsprojekter
Planlægning og styring af anlægsprojekterAndreas Christensen
 
Captain cheddar - walkthrough
Captain cheddar - walkthroughCaptain cheddar - walkthrough
Captain cheddar - walkthroughSam King
 

Andere mochten auch (6)

Health hazards to livestock Allah Dad Khan
Health hazards to livestock Allah Dad KhanHealth hazards to livestock Allah Dad Khan
Health hazards to livestock Allah Dad Khan
 
Presentation Red Team
Presentation Red TeamPresentation Red Team
Presentation Red Team
 
Planlægning og styring af anlægsprojekter
Planlægning og styring af anlægsprojekterPlanlægning og styring af anlægsprojekter
Planlægning og styring af anlægsprojekter
 
Captain cheddar - walkthrough
Captain cheddar - walkthroughCaptain cheddar - walkthrough
Captain cheddar - walkthrough
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Probability
ProbabilityProbability
Probability
 

Ähnlich wie Security For Free

Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to SecurityTripwire
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Claus Cramon Houmann
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are comingErnest Staats
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 

Ähnlich wie Security For Free (20)

Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
Tim Nolan
Tim NolanTim Nolan
Tim Nolan
 
Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015Keynote Information Security days Luxembourg 2015
Keynote Information Security days Luxembourg 2015
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
Privacies are coming
Privacies are comingPrivacies are coming
Privacies are coming
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Security analysis
Security analysisSecurity analysis
Security analysis
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 

Security For Free

  • 1. Improving Your Security…For FREE Stephen Marchewitz CSO SecureState The CIO Circle July 8, 2009 1
  • 2. What’s the catch? Sorry, you’re going to have to Think…. ―Thinking is the hardest work there is…that’s why so few people do it. ― – Henry Ford …And Do… ―The only place where success comes before work is in the dictionary.‖ –Donald Kendall Copyright 2009 SecureState 2
  • 3. About me Stephen Marchewitz – B.A. The University of Michigan Business Communications and Statistics – M.B.A. Case Western Reserve University Management Information Systems and Finance – Ten+ years experience and progressive responsibility in multiple facets of information systems with specific expertise in information assurance – SecureState LLC, CSO, 4 Years – Past Experience • Oracle Corporation, Security Service Manager • Computer Associates Inc., Senior Security Consultant • Ernst & Young, LLP, Management Consultant Copyright 2009 SecureState 3
  • 4. SecureState Overview • Ohio Based Company CISSP – Certified Information Systems Security – Founded 2001 CISM – Certified Information Security Manager CISA – Certified Information Systems Auditor QDSP – Qualified Data Security Professional • 40 Security Professionals GSEC – SANS GIAC Security Essentials NSA INFOSEC Assessment Methodology (IAM) Forensics – NTI, EnCase • Information Assurance & ANSI X9/TG-3 Protection • Audit and business background (Big X) • Experts in ethical hacking across many specialized areas Copyright 2009 SecureState 4
  • 5. SecureState Overview Audit and Compliance • PCI (Payment Card Industry) • ISO 27001/SAS 70 • SOX, GLBA etc. • TG-3, NERC/CIP • INFOSEC (Information System Security Risk Assessment) Profiling and Attack • Web Application Security (WAS) • Attack and Penetration Services (internal, external, client, physical, wireless) • Wireless Audits • Architecture Reviews • Zero-Day Research • Training Risk Management • Security Program Manager (SPM) • StateScan • SecureTime • Virtual Compliance Officer (VCO) Forensic Technology Solutions • Data Forensics/Incident Response • Reverse Engineering • Expert Testimony Copyright 2009 SecureState 5
  • 6. We have no budget! – Get them to care • FUD – Fear, Uncertainty and Doubt only works a little bit and I never (rarely) use it. • That said, never underestimate the power of a good ―breach‖ story. • Find a compelling event • Use assessments and testing • Get someone outside your organization to say the same thing you say to your execs…they’ll be more likely to listen • Learn to love to say the same thing over…and over…and over… and over... Copyright 2009 SecureState 6
  • 7. Get it done through Regulations • By the way Mr. CEO, we’re not PCI compliant • You do know that if there is a breach, our state has data breach disclosure laws • SOX and the SAS now state that audit firms must sign off on the security of the systems • We don’t have to be compliant, but our customer is saying we do Copyright 2009 SecureState 7
  • 8. Get the Bullies on your side • Work with Audit • Learn what they’re trying to achieve • You will never be good enough • Report, report, report • Do you know what the problems are? • Do you have a plan to fix them? Copyright 2009 SecureState 8
  • 9. Don’t Hold Risk • You don’t get paid enough to hold the risk of the organization • Offload it to the board and/or other executive management, i.e. let them sign off • Your job is to: – Identify risk (through assessments) – Recommend remediation – Provide assistance in remediation management Copyright 2009 SecureState 9 9
  • 10. Make Risk Reduction Simple Copyright 2009 SecureState 10
  • 11. Assess. Build. Rinse. Repeat. Assessments (checks) are the best route to understand the current state of your program Assessments ―get the wheel turning‖ You don’t/can’t know what you’re doing in security if you’re not checking first. You can enhance your credibility by putting it into terms the business can understand 11 11
  • 12. Get advice Copyright 2009 SecureState 12
  • 13. Refer to a Framework NIST – www.csrc.nist.gov/publications/PubsSPs.html Special Publications in the 800 series present documents of general interest to the computer security community NIST 800-53 Security Controls for Federal Information Systems and Organizations ISO 27000 – http://www.standardsdirect.org/iso17799.htm ($1100) THE ISO 27001 and ISO 27002 TOOLKIT Copyright 2009 SecureState 13
  • 14. Inventory and Classify your Assets • Do you know everything you have? • Have you assigned a value to your assets? • There is a reason you don’t have an armed guard covering petty cash • Make sure the level of protection is commensurate with the value Copyright 2009 SecureState 14
  • 15. Simulate a breach, incident, or disaster • Set up a meeting with all parties involved to pretend we’ve just had a Breach (or Disaster) – Who needs to be in there? – What needs to happen? – Worst case – What do we have to do to facilitate a forensic investigation? • Logging • Data flows • Network Diagrams • Monitoring Copyright 2009 SecureState 15
  • 16. Question Products • Companies are always looking to slam a $40k appliance in to solve the world for them. Unfortunately this doesn’t work. • Detecting viruses, malware, and threats goes into a formalized security program that is constantly tested. Penetration tests are excellent methods in identifying deficiencies within the current security program. Copyright 2009 SecureState 16
  • 17. A product example – reshifting budget to get more Antivirus: Anti-virus is typically thought of as a first line of defense for detecting a potential outbreak, malware, or viruses.  Anti-virus companies market that they are the end-all-be-all and can catch anything out there.  It’s estimated that 70% of all malware is currently NOT being detected by anti-virus.  The truth: No longer a defensible position against attackers.  There are now products that combine zero-update attack protection, data loss prevention, and signature-based antivirus, reducing cost (upkeep, etc.) and increasing effectiveness. Copyright 2009 SecureState 17
  • 18. Check out Great Sources CIS Benchmarks – The CIS Benchmarks are the consensus best practice security configuration standards both developed and accepted by government, business, industry, and academia (http://www.cisecurity.org/benchmarks.html) Payment Card Industry (PCI) Data Security Standard – Free audit standards https://www.pcisecuritystandards.org/ OWASP – Open Web Application Security Standard www.owasp.org The defacto standard for Web Application Security ―Information Security Policies Made Easy‖ – Policy book by Charles Cresson Woods ($800) Copyright 2009 SecureState 18
  • 19. Build Awareness • Build awareness programs, consistency, ease, available, etc. • However the main message is: ―Don’t be stupid!‖ • Social Engineering – Have someone from another office, (or your nephew, grandma, buddy, etc.) try to social engineer your company – Tell everyone the stories (e-mail, new hire training, etc.) Copyright 2009 SecureState 19
  • 20. Free but… • Utilize free tools if you have to • Some exceptions, but generally it makes more sense to just get someone else to do it Copyright 2009 SecureState 20
  • 21. Utilize Free Tools MBSA (Microsoft Baseline Security Advisor): Helps Windows systems users answer the eternal question: How safe it my IT infrastructure? The advisor checks systems for common misconfigurations and missing security updates, then makes recommendations for improving safeguards in accordance with Microsoft security standards. Nessus: This product is considered to be one of the best vulnerability scanners available at any price — and it happens to be free. The tool explores and maps network systems for potential weaknesses that could provide an open door to attackers. The Nessus client is compatible with all Linux/Unix systems. There's also a Win32 GUI client that works with any version of Windows. AVG Anti-Virus Free Edition: Grisoft's AVG Anti-Virus Free Edition, compatible with Microsoft Outlook and Eudora, quarantines suspected virus-infected emails and scans all email traffic over POP3 and SMTP protocols. Ad-Aware Free: This no-cost program scans computers for hidden parasites — including Trojan horses, worms and spyware — and removes them permanently. Ad-Aware Free is perhaps the most popular free security tool in Internet history, with publisher Lavasoft reporting more than 250 million downloads so far. Wireshark: An open-source packet sniffer, Wireshark Network Protocol Analyzer supports network troubleshooting, analysis, software and protocol development. The tool is compatible with popular computing platforms, including Windows, Unix and Linux. *courtesy (mostly from) itsecurity.com Copyright 2009 SecureState 21
  • 22. Utilize Free Tools Aircrack-NG: The aircrack-ng suite is an all-encompassing wireless exploitation framework that allows you to identify potential security flaws within your wireless environments. It also helps you detect rogue access points, and test your overall security implementations. MailWasher: Are you sick of spam clogging your employees' mailboxes? POP3-compatible MailWasher promises to filter and block spam messages while allowing legitimate email to pass through unimpeded. And it won't cost you a nickel. Karen's Replicator: Since even the most security-conscious business will need to restore data at some point, frequent and comprehensive backups are a vital part of any security strategy. Karen's Replicator can copy files and folders to a backup storage device on either a manual or scheduled basis. The program can also distribute files across a network and automatically restore damaged or changed files on a Web server. Snort: An open-source network IPS (Intrusion Detection and Prevention System), Snort is a protocol analyzer that enables users to passively detect or actively block various kinds of probes and attacks. The software's detection capabilities include stealth port scans, operating-system fingerprinting attempts, buffer overflows and application attacks. GnuPG (Gnu Privacy Guard): This family of open-source encryption products is developed under the auspices of the Free Software Foundation's software project. GnuPG can be combined with front ends that supply compatibility with virtually any operating system — past or present. Copyright 2009 SecureState 22
  • 23. Utilize Free Hacker Tools • Back|Track Live Security Distribution – Back|Track is the number one security distribution. – Place CD in computer, reboot, full-fledged hacker environment with the latest and greatest hacker tools. Copyright 2009 SecureState 23
  • 24. Utilize Open-Source Tools • Fast-Track – Exploitation framework created by David Kennedy at SecureState – Used to effectively test security and exploit vulnerabilities • Metasploit – Most popular open-source exploitation framework Copyright 2009 SecureState 24
  • 25. Utilize Free Forensic Tools • DEFT (acronym for Digital Evidence & Forensic Toolkit) is a Xubuntu Linux-based Computer Forensics live CD. – It is designed to meet police, investigators, system administrator and Computer Forensics specialist’s needs – http://www.deftlinux.net/ Copyright 2009 SecureState 25
  • 26. Utilize Free Forensic Tools • Helix3 Live CD – http://www.e-fense.com/helix3-download.php – Contains multiple open source forensic tools Copyright 2009 SecureState 26
  • 27. Utilize Free Forensic Tools • Forensic Live CD – http://www.forensiclivecd.com Copyright 2009 SecureState 27
  • 28. Summary of biggest mistakes we see In general, organizations don’t do enough of the following: • Relay risk to upper management • Ask for help on things they have no idea about • Assess • Build consistent, repeatable processes • Take the time to think it through Copyright 2009 SecureState 28
  • 29. Thank you! ―Never sacrifice opportunity for security!‖ Questions? Copyright 2009 SecureState 29