BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK
|
|
- Alisha Marsh
- 8 years ago
- Views:
Transcription
1 BUSINESS CASE FOR STANDARDS ADOPTION SECURITY STANDARDS - THE TRUST FRAMEWORK Alan McBride, CISSP alan.mcbride@alcatel-lucent.com April
2 STANDARDS AND THE TRUST FRAMEWORK PRIMARY TAKEAWAY Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market 2
3 SECURITY STANDARDS AGENDA The Threat Landscape The Security Standards Landscape Adopting Security Standards Conclusion 3
4 ALCATEL-LUCENT WHO WE ARE AT A GLANCE CUSTOMERS (NETWORK OPERATOR) 500K+ CUSTOMERS (ENTERPRISE) 1M+ NETWORKS 2012 revenues 14.4b ~72,000 employees TR50 Most Innovative Companies Nobel prizes More than 2,900 patents in 2012 More than 30,700 active patents Collaborate with 250+ universities Bell Labs In 7 countries Including Ireland 400G IP DSL vectoring Carrier cloud Motive Customer lightradio Experience 400G photonic XRS Core router 3G/4G wireless, broadband access, ethernet, IP, optics, applications, services, cloud VDSL2 vectoring 4
5 THE THREAT LANDSCAPE RECENT SECURITY INCIDENTS 1 MAR 2013 More companies reporting cybersecurity incidents At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults JAN 2013 Hackers in China Attacked The Times for Last 4 Months The hackers tried to cloak the source of the attacks on The Times by first penetrating computers at United States universities and routing the attacks through them JAN 2013 U.S. warns on Java software as security concerns escalate The U.S. Department of Homeland Security urged computer users to disable Oracle Corp's Java software MAR 2013 Logic Bomb Set Off South Korea Cyberattack Cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb... 9 APRI 2013 Fourth LulzSec Member Pleads Guilty to Hacking Sony... carried out attacks on the websites of the Arizona State Police, Sony, News Corp. s Twentieth Century Fox, the U.K. s National Health Service and technology-security company HBGary Inc AUG 2012 State-sponsored cyber espionage projects now prevalent, say experts At least four government-sponsored programmes to deploy cyber-espionage software like the Flame, Duqu and Stuxnet software the latter used against computers in Iran are in progress around the world... 5
6 THE THREAT LANDSCAPE SOME STATISTICS 97% of breaches were avoidable through simple or intermediate controls 98% were primarily due to external agents 96% were motivated by financial or personal gain 85% of breaches took weeks or more to discover 92% of incidents were discovered by a third party 2012 Data Breach Investigations Report (note: IRISSCERT was a contributor) 69% of breaches involved malware (e.g. Keyloggers) 81% involved hacking (e.g. Use of default or guessable credentials) 77% of SMBs think strong security posture is good for their brand 59% of SMBs have no contingency plan for data breach 65% of SMBs do not use encryption or DLP to protect confidential data 62% of SMBs do not routinely back up data 6
7 THE THREAT LANDSCAPE EVOLVING SECURITY RISKS Threat Agents Hacktivist Cyber-criminal Nation State Insider Viruses, Trojans, Worms Web Threats - XSS, SQL injection Distributed Denial-of- Service Advanced Persistent Threats (APTs) Fraud, Extortion, Cybercrime Escalating Threat Sophistication Password Cracking Rootkits, Botnets Identity Theft Infected Mobile Apps Insider Threats Targeted Malware (e.g. Stuxnet) Innovation timeline Internet Mobile Always-on, Ubiquitous Connectivity Apps & Social Media Device proliferation Virtualization & Cloud Everythingas-a-Service Machine- to- Machine Smart Grid, Smart Cities Threat Vectors Internet Internal Access Mobile Devices Supply Chain 7
8 THE STANDARDS LANDSCAPE CONTROLS AND BEST PRACTICES Threat Agents (e.g. Cybercriminal) attack Security standards specify controls to mitigate risks of exposure of assets to threats resulting from inherent vulnerabilities. exploit Vulnerabilities (e.g. Inadequate access controls) of Assets (e.g. Your data) Controls can be (often a combination of) preventative, detective or corrective in purpose. Controls can be technical, physical or procedural in classification. protect resulting in Risks Preventative (e.g. Firewall) Detective (e.g. IDS) mitigated by Controls (e.g. Role-based access controls) Technical (e.g. Encryption) Procedural (e.g. Training) Corrective (e.g. Security patch) Physical (e.g. Locks) 8
9 THE STANDARDS LANDSCAPE KEY STANDARDS BODIES International Jurisdictional Domain-specific ITU: International Telecommunication Union ISO: International Organization for Standardization IEC: International Electro technical Commission IETF: Internet Engineering Task Force ETSI: European Telecommunications Standards Institute 3GPP: Third Generation Partnership Project ATIS: Alliance for Telecommunications Industry Solutions ENISA: European Network & Information agency 3GPP - Third Generation Partnership Project NIST: National Institute of Standards and Technology ANSI: American National Standards Institute OASIS: Advancing Open Standards for the Information Society OMA: Open Mobile Alliance CSA: Cloud Security Alliance TISPAN: Telecommunications & Internet converged Services and Protocols for Advanced Networking 9
10 THE STANDARDS LANDSCAPE EXAMPLE SECURITY STANDARDS Security Management Standards ISO27K CobiT 4.x IETF RFC 2196 NIST Technical Security Standards Cryptography: AES, RSA, DSA, PKI Secure Protocols: TLS, Ipsec, HTTPS, SFTP Identity Management & AAA: RADIUS, SAML, Oauth, OpenID, XACML Vulnerability Management Standards ITU-T X.1520 CVEs Mitre CVSS, CWE Security Assurance Standards ISO Regional and Domain-specific Energy domain: NERC 1300 (CIP) IACS domain: ISA/IEC 6 Payments domain: PCI Cloud domain: CSA 10
11 THE STANDARDS LANDSCAPE RELEVANCE TO THREATS SQL injection vulnerability allowing malware insertion Out-of-date versions of software such as Apache, TLS, SSH etc Inadequate segregation no DMZ or firewall between web and app servers ISO 27K Controls: A.10.4 Protection Against Mobile and Malicious Code Web server A Technical Vulnerability Management A.12.2 Correct Processing in Applications A.11.2 User Access Management A.7.2 Information Classification A.11.4 Network Access Control A.12.3 Cryptographic Controls Application server Use of default passwords, and excessive access for admin accounts Encryption keys stored on same server as encrypted data Database server Inadequate data classification and segregation confidential data stored together with other data This threat scenario illustrates the relevance of example ISO27K controls to common vulnerabilities in a typical three-tier system 11
12 ADOPTING SECURITY STANDARDS ISSUES WITH ADOPTION APPLICABILITY & SUITABILITY Some may be too high-level, others too prescriptive May be too generic or too specific Delay in addressing emerging technologies (e.g. cloud) COST Adoption requires planning, training and implementation Additional costs if certification is required Additional cost if directly involved with standards development OVERLAPPING OR COMPETING STANDARDS Different standards may address the same area and may not be consistent Particularly a problem for enterprises operating in multiple jurisdictions NO SILVER BULLET Compliance can give a false sense of security Standards will always lag emerging threats - coverage can never be absolute INFLEXIBILITY Compliance with standards could potentially inhibit agility 12
13 ADOPTING SECURITY STANDARDS PRAGMATIC ADOPTION Initially you can be informed by standards Standards are an important source of best-practices to inform your practices Standards generally have good coverage a checklist or cookbook approach Alignment with standards can be phased over time E.g. Risk-based choice of controls to implement under ISO27K Eventual target can be full compliance Ultimately certification can be sought where applicable Informed Aligned Compliant Certified 13
14 ADOPTING SECURITY STANDARDS FOCUS ON ISO27K Standard for Information Security Management System Protection of Confidentiality, Integrity and Availability (CIA) of Information Assets Plan-Do-Check-Act (PDCA) Identify assets and security requirements Assess risks to assets Select and implement controls to mitigate risks People Monitor, maintain and improve on an ongoing basis 11 Control Areas, 133 Controls Process E.g. Information Security Policy Document E.g. Inventory of Assets Technology E.g. Key Management 14
15 ADOPTING SECURITY STANDARDS REASONS FOR ADOPTION OF ISO27K 1. Recognized as the best practice standard 2. To gain competitive advantage 3. To ensure legal and regulatory compliance 4. Requirement when tendering 5. Mandated by customer 6. Competitors already certified Source: Size of organization adopting ISO27K; 27% < 50 employees 50% < 200 employees 62% < 500 employees 15
16 ADOPTING SECURITY STANDARDS ANOTHER EXAMPLE STANDARD - PCI DSS Payment Card Industry Data Security Standard Proprietary standard owned by PCISSC Defines minimum security controls for securing payment systems and data Compliance is required in US, but validation of compliance is not mandatory 16
17 ADOPTING SECURITY STANDARDS PRAGMATIC CHECKLIST Do you have a CSO/CISO? Do you have a security policy and do all of your employees know about it? Do you address security aspects with your suppliers? Do you know the security posture of your competitors? Do you know what regulations or standards apply to your market and jurisdiction? Do you have a mobile device policy? Do you have basic security hygiene including firewall, antivirus, secured backups, timely patching and adequate access controls? Do your employees undergo security training including guidelines on passwords, risks and protection of company data on mobile devices? Your answers can help you decide whether you need to consider standards such as ISO27K 17
18 ADOPTING SECURITY STANDARDS TRUST THROUGH TRANSPARENCY CSA STAR: Cloud Security Alliance Security Trust & Assurance Registry Cloud providers assess themselves against CSA security controls Transparency is achieved through publishing the results in the registry Customers can read and compare the security posture of potential providers Validity is addressed through public scrutiny You can freely browse the open submissions now from multiple providers including Amazon, Microsoft, Symantec and Terremark This self-assessment foundation is evolving now to include third-party assessment and certification under CSA Open Certification Framework (OCF) Can help lower costs by avoiding per-customer RFx responses or audits This is illustrative of how open and transparent security posture can improve trust with the customer, and how businesses can compete by differentiating in security domain An example of how standards compliance can be part of trust framework 18
19 ADOPTING SECURITY STANDARDS OUR EXPERIENCE AT ALCATEL-LUCENT Involved with Standards Development Active participation in key standards bodies such as ISO, ITU, 3GPP Drawing on Bell Labs research Also involved with regional bodies such as ATIS (US), ENISA (Europe) Applying Standards Internally Global company many relevant standards as input to internal practices Applying security standards in development of networking products Combining best-practices with internal Bell Labs expertise Applying Standards in External Engagements Applying standards in security assessments e.g. Smart Grid networks Applying standards in network design and security architecture services Contact: John Hickey - convener of NSAI ICTSCC/SC10 and representative on ISO SG27 19
20 ADOPTING SECURITY STANDARDS APPLYING STANDARDS IN PRACTICE Threat Analysis Risk-oriented analysis to determine threats, attack vectors, vulnerabilities and countermeasures Architecture Evaluation Assess use of technical security enablers such as firewalls, IPS, AAA, encryption, VPN to evaluate current security architecture and areas of improvement Target of Evaluation Tools Analysis Assess results from vulnerability scanning and penetration testing tools Standard controls; NISTIR NERC CIP 110 Baseline Evaluation Evaluate architecture and implementation against standards, recommendations, and best-practices e.g. NIST, ISO, NERC CIP etc - to Identify strengths and gaps ISO NIST SANS CAG 20 US DHS 236 Real-world example: how we at Alcatel-Lucent have used standards in assessing security of Smart Grid Utility Networks globally (c.f. Bell Labs Technical Journal December, 2012) 20
21 ADOPTING SECURITY STANDARDS OTHER SOURCES OF SECURITY GUIDANCE SANS - System Administration, Networking and Security Institute CSIS: 20 Critical Controls for Effective Cyber Defence OWASP Open Web Application Security Project Top Ten Project The Ten Most Critical Web Application Security Risks NIST National (US) Institute of Standards and technology NISTIR 7621 Small Business Information Security: The Fundamentals ISF Information Security Forum SoGP Standard of Good Practice CSA - Cloud Security Alliance Cloud Security Guidance 21
22 ADOPTING SECURITY STANDARDS BUSINESS CASE FOR ADOPTION Cost versus Benefit Implementing standard controls can protect assets and avoid costs Standards-based approaches can streamline the management of security Risk Management Proactive and structured approaches to managing risk Good foundation for ensuring comprehensive coverage Regulatory Compliance Where applicable, regulations generally share common ground with standards Standards can also improve readiness for future regulations Market and Competitive Aspects Market differentiation Customer trust as a competitive advantage 22
23 STANDARDS AND THE TRUST FRAMEWORK CONCLUSION Providing assurance to your customers that you are applying standards-based security best-practices can build trust and can differentiate you in your market 23
24 24
25 25
Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationHow NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements
How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards
More informationThe Education Fellowship Finance Centralisation IT Security Strategy
The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and
More informationWhite Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
More informationAnalyzing Security for Retailers An analysis of what retailers can do to improve their network security
Analyzing Security for Retailers An analysis of what retailers can do to improve their network security Clone Systems Business Security Intelligence Properly Secure Every Business Network Executive Summary
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationIf you know the enemy and know yourself, you need not fear the result of a hundred battles.
Rui Pereira,B.Sc.(Hons),CIPS ISP/ITCP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC Principal Consultant, WaveFront Consulting Group ruiper@wavefrontcg.com 1 (604) 961-0701 If you know the enemy and know yourself, you
More informationGuiding principles for security in a networked society
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationAuditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationCourse Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)
Page 1 of 6 Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits) TNCC Cybersecurity Program web page: http://tncc.edu/programs/cyber-security Course Description: Encompasses
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationUnified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice
Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationAre you prepared to be next? Invensys Cyber Security
Defense In Depth Are you prepared to be next? Invensys Cyber Security Sven Grone Critical Controls Solutions Consultant Presenting on behalf of Glen Bounds Global Modernization Consultant Agenda Cyber
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationCompTIA Security+ (Exam SY0-410)
CompTIA Security+ (Exam SY0-410) Length: Location: Language(s): Audience(s): Level: Vendor: Type: Delivery Method: 5 Days 182, Broadway, Newmarket, Auckland English, Entry Level IT Professionals Intermediate
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationNational Cyber League Certified Ethical Hacker (CEH) TM Syllabus
National Cyber League Certified Ethical Hacker (CEH) TM Syllabus Note to Faculty This NCL Syllabus is intended as a supplement to courses that are based on the EC- Council Certified Ethical Hacker TM (CEHv8)
More informationWHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.
WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY. A guide for IT security from BIOS The Problem SME s, Enterprises and government agencies are under virtually constant attack today. There
More informationPractice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited
Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident
More informationCyber Security Seminar KTH 2011-04-14
Cyber Security Seminar KTH 2011-04-14 Defending the Smart Grid erik.z.johansson@se.abb.com Appropriate Footer Information Here Table of content Business Drivers Compliance APT; Stuxnet and Night Dragon
More informationSecure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?
More informationCyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services
Cyber Risk Mitigation via Security Monitoring Enhanced by Managed Services Focus: Up to But Not Including Corporate and 3 rd Party Networks Level 4 Corporate and 3 rd Party/Vendor/Contractor/Maintenance
More informationAttackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors. Microsoft Confidential for internal use only
Attackers are highly skilled, persistent, and very motivated at finding and exploiting new vectors Microsoft Confidential for internal use only Wall Street Journal, JP Morgan, Lockheed, Bushehr nuclear
More informationPCI Requirements Coverage Summary Table
StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2
More informationInternal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015
Internal audit of cybersecurity Presentation to the Atlanta IIA Chapter January 2015 Agenda Executive summary Why is this topic important? Cyber attacks: increasing complexity arket insights: What are
More informationHow a Company s IT Systems Can Be Breached Despite Strict Security Protocols
How a Company s IT Systems Can Be Breached Despite Strict Security Protocols Brian D. Huntley, CISSP, PMP, CBCP, CISA Senior Information Security Advisor Information Security Officer, IDT911 Overview Good
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationa) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)
MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file
More informationEffective Defense in Depth Strategies
Honeywell.com 2014 Honeywell Users Group Asia Pacific Effective Defense in Depth Strategies for Industrial Systems 1 Document control number Honeywell Proprietary Honeywell.com Chee Ban, Ngai About the
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More information2012 Data Breach Investigations Report
2012 Data Breach Investigations Report A study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information
More informationVulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper
Vulnerability Audit: Why a Vulnerability Scan Isn t Enough White Paper May 10, 2005 TABLE OF CONTENTS Introduction: How Secure Are My Systems?... 3 Vulnerability: The Modern Meaning Of A Muddled Word...
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationPCI DSS Overview and Solutions. Anwar McEntee Anwar_McEntee@rapid7.com
PCI DSS Overview and Solutions Anwar McEntee Anwar_McEntee@rapid7.com Agenda Threat environment and risk PCI DSS overview Who we are Solutions and where we can help Market presence High Profile Hacks in
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More information1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.
REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationSecurity Risk Management Strategy in a Mobile and Consumerised World
Security Risk Management Strategy in a Mobile and Consumerised World RYAN RUBIN (Msc, CISSP, CISM, QSA, CHFI) PROTIVITI Session ID: GRC-308 Session Classification: Intermediate AGENDA Current State Key
More informationSecurity Services. 30 years of experience in IT business
Security Services 30 years of experience in IT business Table of Contents 1 Security Audit services!...!3 1.1 Audit of processes!...!3 1.1.1 Information security audit...3 1.1.2 Internal audit support...3
More informationSAST, DAST and Vulnerability Assessments, 1+1+1 = 4
SAST, DAST and Vulnerability Assessments, 1+1+1 = 4 Gordon MacKay Digital Defense, Inc. Chris Wysopal Veracode Session ID: Session Classification: ASEC-W25 Intermediate AGENDA Risk Management Challenges
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationAlcatel-Lucent Services
SOLUTION DESCRIPTION Alcatel-Lucent Services Security Introduction Security is a sophisticated business and technical challenge, and it plays an important role in the success of any network, service or
More informationNational Cyber League Certified Ethical Hacker (CEH) TM Syllabus
National Cyber League Certified Ethical Hacker (CEH) TM Syllabus Note to Faculty This NCL Syllabus is intended as a supplement to courses that are based on the EC- Council Certified Ethical Hacker TM (CEHv8)
More informationWHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK
WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationThe Mile High Denver Chapter of ARMA welcomes you to our virtual meeting!
The Mile High Denver Chapter of ARMA welcomes you to our virtual meeting! March 18 th Meeting ediscovery and Social Media -- What Records Managers Need to Know By: Kelly Twigger Americans spend an average
More informationCyber Security Controls Assessment : A Critical Discipline of Systems Engineering
Cyber Controls : A Critical Discipline of Systems 14 th Annual NDIA Systems San Diego, CA October 24-28, 2011 Bharat Shah Lockheed Martin IS&GS bharat.shah@lmco.com Purpose Provide an overview on integrating
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationWho s Doing the Hacking?
Who s Doing the Hacking? 1 HACKTIVISTS Although the term hacktivist refers to cyber attacks conducted in the name of political activism, this segment of the cyber threat spectrum covers everything from
More informationCybernetic Global Intelligence. Service Information Package
Cybernetic Global Intelligence Service Information Package / 2015 Content Who we are Our mission Message from the CEO Our services 01 02 02 03 Managed Security Services Penetration Testing Security Audit
More information2012 Bit9 Cyber Security Research Report
2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationReducing Application Vulnerabilities by Security Engineering
Reducing Application Vulnerabilities by Security Engineering - Subash Newton Manager Projects (Non Functional Testing, PT CoE Group) 2008, Cognizant Technology Solutions. All Rights Reserved. The information
More informationEC-Council. Certified Ethical Hacker. Program Brochure
EC-Council C Certified E Ethical Hacker Program Brochure Course Description The (CEH) program is the core of the most desired information security training system any information security professional
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationBeyond the Hype: Advanced Persistent Threats
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationDeveloping Secure Software in the Age of Advanced Persistent Threats
Developing Secure Software in the Age of Advanced Persistent Threats ERIC BAIZE EMC Corporation DAVE MARTIN EMC Corporation Session ID: ASEC-201 Session Classification: Intermediate Our Job: Keep our Employer
More informationSecuring Smart City Platforms IoT, M2M, Cloud and Big Data
SESSION ID: SSC-W10 Securing Smart City Platforms IoT, M2M, Cloud and Big Data Ibrahim Al Mallouhi Vice President - Operations Emirates Integrated Telecommunication Company (du) Roshan Daluwakgoda Senior
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More information2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationCYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationMicrosoft Azure. White Paper Security, Privacy, and Compliance in
White Paper Security, Privacy, and Compliance in Security, Privacy, and Compliance in Executive Summary The adoption of cloud services worldwide continues to accelerate, yet many organizations are wary
More informationA Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER
A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER 1 Agenda Audits Articles/Examples Classify Your Data IT Control
More informationObservations from the Trenches
Observations from the Trenches CSO Breakfast Club Retail and PCI Security Forum May 2010 Olivia Rose Jenkins, CISSP, QSA Sr. Security Consultant Agenda Conversations with CXO s PCI and Your Security Program
More informationfuture data and infrastructure
White Paper Smart Grid Security: Preparing for the Standards-Based Future without Neglecting the Needs of Today Are you prepared for future data and infrastructure security challenges? Steve Chasko Principal
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationHealthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security
Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss
More informationPCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR
PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationPCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES
CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS
More informationAPPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationAddressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave
More informationInformation Security ISO Standards. Feb 11, 2015. Glen Bruce Director, Enterprise Risk Security & Privacy
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
More informationDetailed Description about course module wise:
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationN-Dimension Solutions Cyber Security for Utilities
AGENDA ITEM NO.: 3.A. MEETING DATE; 08/18/2014 N-Dimension Solutions Cyber Security for Utilities Cyber Security Protection for Critical Infrastructure Assets The cyber threat is escalating - Confidential
More informationSecurity Controls Implementation Plan
GIAC Enterprises Security Controls Implementation Plan Group Discussion and Written Project John Hally, Erik Couture 08/07/2011 Table of Contents Executive Summary 3 Introduction 3 Security Controls Implementation
More informationJort Kollerie SonicWALL
Jort Kollerie Cloud 85% of businesses said their organizations will use cloud tools moderately to extensively in the next 3 years. 68% of spend in private cloud solutions. - Bain and Dell 3 Confidential
More information