The Hungarian digital security and data protection specialist.

Transcription

1 The Hungarian digital security and data protection specialist

2 WHY IS IT SECURITY IMPORTANT? The abuse of computers is an increasingly common phenomenon of both the business and the public sector. The explosive growth and quick spread of mobile devices have turned digital equipment into fertile ground for professional crime. Mobile devices are used for a significant number of external attacks resulting in considerable material and moral damage to the victim, government or company, be it the local micro-enterprise or any global multinational brand with a stable background. The protection of information from potentially disastrous cyber-attacks, being one of the most valuable assets of government and companies as well, is priority for responsible leaders who do not want to lose either their competitive advantage or their clients. QUADRON SYSTEM LTD. QUADRON offers full scale information and data protection solution: in addition to classic IT security services, QUADRON ensures the planning and development of the data protection system, the setup and configuration of the software, and the maintenance and operation of information protection systems complying with the requirements. QUADRON S IT SECURITY APPROACH The experience of the recent years has prompted us to base our strategy on simple, transparent and pragmatic principles, creating a concept built on 4 key pillars. The most valuable elements exposed to an attack in a company constitute the focal point of it: its staff, intellectual property/value, data and key information, and the IT infrastructure. The first pillar: Repelling external attacks and keeping away attackers. The second pillar: Complex protection of critical information and infrastructures. The third pillar: The areas of regulation, control and management. The fourth pillar: Professional, expert planning and support of the three main pillars.

3 STATICS AND TRENDS DATA BREACH STATISTICS BY INDUSTRY 38.9% MEDICAL, HEALTHCARE 5.3% BANKING, CREDIT, FINANCIAL 35.1% BUSINESS Types of economic crime suffered 71% Asset Misappropriation 71% 69% 37% Cybercrime 40% 24% 35% Bribery and Corruption 43% 27% 35% Accounting Fraud 31% 22% 33% Procurement Fraud 29% 31% Human Resource Fraud 15% 16% Money Laundering 17% 11% 29% Others 26% 47% 2014 Middle East 2011 Middle East 2014 Global Source: % EDUCATIONAL Percepcion of cybercrime 60% 50% 40% 30% 20% 10% 0% 48% 47% 9.9% GOVERNMENT, MILITARY 48% 45% 44% 53% 8% 21% One in five Middle East organisations report being the victim of economic crime 37% More than one in three victims of economic crime reported incidents of cybercrime 4% 2% WHAT QUADRON LTD. CAN OFFER TO GOVERNMENTS The abuse of computers is an increasingly common phenomenon of both the business and the public sector. The explosive growth and quick spread of mobile devices have turned digital equipment into fertile ground for professional crime. Mobile devices are used for a significant number of external attacks resulting in considerable material and moral damage to the victim company, be it the local micro-enterprise or any global multinational brand with a stable background. The protection of information, being one of the most valuable assets of companies, is the primary concern of any responsible manager focused on saving hard earned competitive advantages and precious clientele from potentially disastrous cyber-attacks. The government and public sector are the primary targets of many complex and very well prepared attacks by hackers, politically motivated groups. The number of cyber espionage incidents is also increasing. A client s protection strategy is developed through personal consultation to create state of the art customised protection systems that best fit the company s needs and hedge against the possible risks. Our core activity, which includes the delivery of information security systems, ranges from conventional IT security products (content filtering, end-point protection, firewalls, network security, etc.), to complex defence systems. The majority of our solutions include highend premium software, hardware and custom hardware solutions. Related services include planning and developing data security systems, commissioning and customisation of software, maintenance of information security systems and customised operation. We are experts on early warning systems and integrated security intelligence data feeds that can be integrated into established security control to define the proactive first line of defence. We can help governments design security controls for critical infrastructure, prevent cyber-attacks and data leakage and meet the requirements of certain local and/or international regulations, comply with industry standards and harden their production systems. QUADRON SYSTEM Ltd. is a specialist of digital security, data and system protection. Our team of consultants at our consultancy and service competence centre consists of professionals with a minimum of 10 years of experience and the highest level of expertise certified at international theoretical examinations. The service scope of our experts includes conventional IT security services, such as auditing, vulnerability testing and penetration testing; while our service centre is capable of designing and building the most complex protection systems. //////////////////////////////////////////////////////////////////////////////

4 REFERENCE PROJECTS: Online cash registers Based on local legislation, all cash registers must be connected online by gsm connection to computer systems of the Tax Authority Office to be able to collect all finance-related information in real-time. We provided consultancy to define the security controls to identify all devices and secure the information during the data transfer. Encryption The customer: Large enterprise account from the government sector (10,000+ seats) Background: The staff at the referenced company handles personal and classified data and information in the course of their work. Problem: Under the legislation on the protection of personal data, the data managed by the staff must be strictly protected, the usage and handling of the data must be kept track of, and it needs to be ensured that everyone has access to solely those data that are essential for the successful and efficient fulfilment of their tasks. Mobile devices contain classified data; hence, personal or corporate data can get in the hands of unauthorized persons due to the loss or theft of a device. Proposal/Solution The comprehensive implementation of the Symantec Encryption family, an enterprise-level, integrated, transparent and centrally manageable encryption system, based on international standards (IETF RFC 2015, 2440, 3056). hard disk encryption: utilising private and public key infrastructure. It ensures the security and confidentiality of data stored on hard disks or removable media, even if the device is lost or stolen. file share encryption: it provides transparent, end-to-end encryption that automatically encrypts files and folders on the servers, allowing safe retrieval and exchange of the protected documents, spreadsheets and other files. encryption: messages can be encrypted, either directly on the workstation or using the management server, in a transparent manner, just before the reaches the very last border protection device before leaving the protected enterprise network. With the help of the solution proposed by QUADRON, a secure environment can be created for communication and everyday work as well. Information cannot get into unauthorized hands even in those cases when equipment gets lost or stolen. In relation to everyday work, utilising file share encryption, a second access control was implemented by applying the so-called Segregation of Duties design, i.e., two people are required for the completion of a given task: the IT operation team manages the access lists by granting the NTFS file system rights, while the IT security team on an independent interface ensures, by the allocation of the encryption keys and the enforcement of the policies, that only those with appropriate authorisation can have access to the information. QUADRON s experience Based on our surveys and multiannual Hungarian market experience, mobile and removable devices, as well as and file share usage, cause the most critical and greatest security risk. Without aiming to be comprehensive, some examples to be mentioned are stolen or lost laptops, USB flash drives and external USB disks, copied messages or incorrect addresses, incorrect or outdated access controls for shared files, or accidental sharing with unauthorized persons or organizations.

5 Data leakage The customer: Large enterprise account from the government sector (4,000+ seats) Problem: Under the legislation on the protection of personal data, the data managed by the staff must be strictly protected; the usage and handling of the data must be monitored. However, the staff was sending sensitive documents to their Gmail accounts, copied them on removable media or stored them on workstations or laptops in order to be able to work easier/at home. QUADRON s experience Among the key findings of Symantec s 2014 Internet Security Threat Report, Volume 19, the situation of data leakage and information theft was featured prominently, in addition to the growing number of targeted cyber-attacks. In the majority of cases, the attacks were aimed at obtaining confidential, industrial, manufacturing information and personal data. Governmental institutions were the primary targets of the top 10 Spear Phishing attacks. Proposal/Solution A well-built and controlled data leakage system can perform content-based filtering of output data and information. It is able to recognise data leakage to implement and enforce the integrated IT security policies, and to eliminate and prevent data leakage. It is capable of managing unified, comprehensive incidents, collecting and maintaining subsequent secure storage of its evidence. The integrated DLP software suite protects data at rest, in motion and at the endpoint, by automatically enforcing general scope DLP policies, which serve for detection, process control and automation, and also reporting, system control and protection, provided from a central platform. At end points, the solution discovers confidential data stored on laptops and desktops, classifies endpoints exposed to great danger for further protection, and prevents confidential data to be copied to a USB device, burnt to CD or DVD, or downloaded to local hard drive. Companies can comprehensively monitor every detail of a data loss happening on the network, e.g. via , direct messaging, webpage, secure webpage (HTTPS), FTP, P2P and the general TCP traffic, and they can prevent the occurrence thereof as well. The existence and importance of data loss was confirmed during the assessment of technology-based risks, carried out by QUADRON. QUADRON has established the policies and the workflow, and it is constantly involved as consultant in the development of the preventive policies in case of events and incidents. Compliance The customer: Large enterprise account from the government sector (1,000+ seats) Problem: A complex and expensive system was developed and implemented in order to ensure the security and protection of data. However, as it was revealed during the comprehensive audits, some people at various locations did not operate and configure the system in accordance with the established policies and regulations; thus, causing security risks to the system. Proposal/Solution The environment of IT compliance is rapidly evolving in response to the increasing threats and new regulations. After the first attacks, in order to protect their information assets, companies initially responded only by developing the IT regulations they deemed appropriate. Nevertheless, after several high-profile incidents, a series of often ambiguous provisions was put forth by government agencies around the world, such as the Sarbanes-Oxley Act and the EU provisions about data confidentiality, and standards like ISO (International Organization for Standardization) 27001, PCI DSS (Payment Card Industry Data Security Standards) and COBIT (Control Objectives for Information and related Technology). As a result, the scope of IT compliance extended beyond the prevention of attacks. Organizations must now implement continuous control in order to be certain that their information system regulations comply with the requirements of the supervisory authorities. This means that beyond managing security risks, companies need to manage the legal risks as well. The Symantec Control Compliance Suite is an integrated set of technologies and procedures that enable the key processes needed to achieve and maintain IT compliance. By offering these procedures integrated into a single solution, Symantec Control Compliance Suite makes compliance procedures easier and more economical to customers. The Policy module automates the task of managing the deviations from the technical requirements and enables the restoration after misconfigurations. The Policy module provides pre-packaged technical standards that offer detailed best practices for securing servers and databases, and it also gives direction to the compliance with these policies and provides a detailed roadmap for remediating deviations. QUADRON prepared the security policies, harmonized the regulations and implemented the check points into the system. By its implementation, an automatically and continuously controllable and measurable IT environment of homogeneous security can be created.

6 OUR EXPERTS IT security related certificate CISA, CISSP, CCSK, Sun Solaris System Administration, Microsoft Visual Basic developer Security Dynamic Secure systems, Sun Solaris Server and Security Administration, Six, Sigma/Green belt, Antivirus, Firewall Administration, Advanced Security training, Symantec products trainings (Antivirus, IDS, VA, Firewall/VPN, Compliance), SANS GIAC T2, Firewall training (certified), Antivirus, SIEM, Compliance STS (System Technology Specialist) certified Academic qualifications Police Officer s Academy Criminal section, detective ENGINEERING EXECUTIVE Phoenix Police Officer s Academy Computer technology section Kando Kalman College cooperation Information system programmer 2014 Present QUADRON SYSTEM Ltd Symantec Deutschland GmbH Budapest Bank Ministry of Internals Professional experience Engineering executive Sr. Princ. Techn. Cons. Sr. System Engineer System Manager Current duties and responsibilities IT Security System Design and Implementation On-site System Operation Service Security Operation Service Review of Security Architecture and Configuration Ethical Hacking and Forensics Service Malware Analysis IT security related certificate OSCP, OSCE CEH, ECSA CISSP, CISA Academic qualifications IT SECURITY EXPERT Technical University of Budapest MsC Integrated Engineer College of Financing and Accounting BsC engineeringeconomy Bánki Donát Technical College BsC in Integrated Engineer 2014 Present QUADRON SYSTEM Ltd Create IT Technologies IFUA Horváth & Partners Pepsi Americas. Professional experience IT Security Expert IT Security Consultant IT Security Consultant IT Security Manager Current duties and responsibilities Ethical Hacking Penetration Testing Vulnerability Assessment General IT Audit IT security related certificate CISA, CISM MCP, ACE Academic qualifications BSC in Economics College of Finance and Accountancy, Budapest Post Graduation Diploma at Budapest University of Technology and Economics (Information Technology) SENIOR IT SECURITY CONSULTANT 2014 Present QUADRON SYSTEM Ltd CIB Bank Zrt. Int. San Paolo Unicredit Bank Hungary Zrt K&H Bank Zrt Ernst&Young Professional experience Sr. IT Security Consultant Head of IT Security IT Security Officer Sr. IT Auditor IT Security Consultant Current duties and responsibilities IT Security Strategy IT Security Policies IT Risk Analysis IT Control Improvements Business Continuity and Disaster Recovery Plans Data Leakage Prevention Internal Fraud Prevention / Detection International Security Standards (e.g. ISO27001, COBIT, NIST) Compliancy Legal Compliancy

7 QUADRON SYSTEM LTD. H-1051, Sas u Budapest, Hungary Telephone: +36 (1) Web: