Docstoc

Enterprise-IT-Security

Document Sample
Enterprise-IT-Security Powered By Docstoc
					Enterprise IT Security
What you need to know

Presented By
Vipul Shah
Director, PC Solutions Limited
Objective
Raise awareness that IT Security is
1.  an important business issue,
2.  deserves the attention of the
    organisational leadership AND
3.  must be part of an overall risk
    management strategy for the
    organisation
               If you are a leader
               within an organisation
               Ask yourself
               1.   Has computer security received my attention?
               2.   Do I assist my IT team by providing them with the
Probably not
                    tools they need to do their jobs?
               3.   Do I support my IT team by abiding by the policies
                    that have been set?
               4.   Do we have good company wide IT policies in
                    place?


                                     Probably NO
So does Anyone care about
Security?
    When we buy a new car we
    1.   first install the state of the art alarm system
    2.   then we install tracker
    3.   then we insure the car so that if 1 and 2 fail we can
         still buy another and
    4.   then we employ security guards – at home, at the
         office and even on the streets

    We always worry about loss or damage to our
     assets. We crave security !
Where are your company’s
assets?
 Buildings
 Vehicles
 Fixtures and fittings
 Computer and office equipment


IS That it?

 Information and Data held on computers and servers
  throughout the organisation is also a business asset
What is the information worth?
1.   If your competitor got the names and details
     of all your customers would you have a
     problem?
2.   If a fire destroyed all your buildings and your
     records what would you do?
3.   If the day before a major tender your hard
     drive crashed– what would you do?
What is the information worth?
1.   If your competitor got the names and details of
     all your customers would you have a problem?
2.   If a fire destroyed all your buildings and your
     records what would you do?
3.   If the day before a major tender your hard drive
     crashed– what would you do?

If you are in the service industry then your information is
your PRIMARY asset.

Impossible to put a value on how much it is really worth.
 When thinking of your corporate assets
INCLUDE your IT systems and the data that
            resides on them.

Step one to an effective security system

   Know what you want to protect
What are the risks to your
IT assets ?

 Physical risks       Digital Risks
  – Theft               – Viruses
  – Damage              – Denial of Service
  – Disaster            – Unauthorised access
  – Catastrophe         – Abuse of the
                          systems
                        – Malicious code
Physical Risks
 Walls/ fences
 Locks
 Security guards
 Fire detection systems
 Fire proof safes
 Off-site storage of data/ backups
Digital Risks
 Viruses
 Denial of Service
 Unauthorised access
 Abuse of the systems
 Malicious code
Viruses
 Well Known Risk
 How many have AV software?
 How many paid for AV software?
 How do you manage the updates/ upgrades
 process?
  – Do you have a policy?
  – Do you have someone responsible/accountable?
  – Are you protecting all the entry points?
Denial of Service
 Attack in which the organisation is denied access
  to a specific service
 Known to have affected Global Brands such as
  Yahoo and ebay
 Often carried out by exploiting known weaknesses
  in the OS
 When a DoS attack happens Would you
   – know you were being subjected to a DoS attack?
   – How would you react?
   – Is there a plan in place to deal with the event?
Unauthorised Access
 unauthorised use of your corporate systems
   – Theft, unauthorised changes, deletion, and
     unauthorised distribution
 Issue of Data Security and Integrity
 Many ways these are carried out
  – user error, ex-employees whose passwords are
    still active, Hackers etc.
 Impact
   – From Minor embarassment to multi-million $$$
     losses affecting many people
Unauthorised access 2
 What do you do to limit unauthorised access?
  – Have you got effective password management?
  – Do users know never to give their passwords out
    to anyone?
  – How well does your IDS work?
  – Have you investigated encryption?
 You have a financial audit annually – when
  was the last time you had a IT security audit?
Abuse of the Systems
 Generally internal to the organisation
  – Physical world – my guys having a long break
  – Virtual world – Use of IT resources for personal
    use (lara croft manuals)
 SPAM
  – Unsolicited email sent to people without their
    consent
 Mail relay
  – Use of your bandwidth to send mails (SPAM)
Abuse of the Systems (2)
 Why is this an issue?
  – TIME
     • Cost of SPAM to a 100 user organisation will exceed US
       $5,000 per year.
  – Use of resources paid for by the organisation
  – Loss of business
 Do you have an appropriate use policy?
  – For example no personal use of email during the working
    day? No XXX material!Company policy on not sending out
    SPAM mail?
Malicious Code
 Software designed to cause losses/ damage?
 Some written by employees (fraud/ revenge)
 More publicity – Worms and Trojans
  – Blaster Worm – takes advantage of error in s/w code to
    spread to many computers and then launch a coordinated
    attack on MS Windows update site
  – Nachi worm – designed to clean the Blaster worm then
    delete itself on 1/1/2004
  – Klez – around since April but still prevalent and exploits
    weakness in IE 5 and 5.5 without SP. Mails itself to people
    on the mailing list
Malicious Code (2)
How do you guard?
 Employee designed S/W – Difficult but needs
  an effective “authorisation” procedure
 Worms – make sure AV is always uptodate
  and ensure all latest patches are installed
      • Massive task given the number of patches being
        released
 Are you protecting all the different entry
  points?
Digital Risks
 Viruses
 Denial of Service
 Unauthorised access
 Abuse of the systems
 Malicious code
Some other issues
 IT Staff are probably stretched “fighting
  fires”
 Range of skills unavailable – impossible
  to be good at everything
 Intrusion Detection Systems generating
  so many alerts impossible to tell actual
  threats from “background noise”
 Lack of management support – I don’t
  want to know your problems just “fix it”
Recap
Raise awareness that IT Security is
1.  an important business issue,
2.  deserves the attention of the
    organisational leadership AND
3.  must be part of an overall risk
    management strategy for the
    organisation
The risks are known

   Your choice to act or ignore
ACT
 Identify your IT assets and determine their
  value
 Identify the risks and determine the
  likelihood of the risk
 Formulate a policy to manage the risks
 Train the users in implementing the policy
 Use a firm that can help you design an
  effective risk management strategy
Questions?
 Contact
  Vipul Shah
  Tel: 2133040 or 0741 784 786
  Email: vipul@pcsolutions.co.tz
  Mtendeni Street, DSM

				
DOCUMENT INFO
Shared By:
Tags: Enter, prise
Stats:
views:48
posted:11/30/2009
language:English
pages:25
Description: Enterprise-IT-Security