SlideShare una empresa de Scribd logo

Security on a budget

Descargar como PPTX, PDF
nCircle - a Tripwire Company
nCircle - a Tripwire Company

nCircle held a Webinar on 6/7 with Mike McKay Senior Sales Engineer at nCircle - The theme was to give smaller organizations the power to have a big organization security program.

Tecnología
1 de 29
Security on a Budget Michael McKay, CISSP, CISA Senior Security Engineer © nCircle 2012. All rights reserved.
Overview • Target audience • Are you at risk? • How to begin • Get some quick wins • Your roadmap: the 20 Critical Controls • Developing your action plan 2 © nCircle 2012 All rights reserved. nCircle Company Confidential
Poll Question How many live IPs do you have on your network?  1- 10  11 - 50  51 – 100  More than 100 3 © nCircle 2012 All rights reserved. nCircle Company Confidential
Target Audience—does this sound like you? • Small to medium-sized business, schools and government • Up to 500 employees • IT wears many hats • Often don’t have a dedicated Information Security department or person • Primary security tools are firewalls and antivirus • Limited budget for security • Management often doesn’t see security as a necessary investment (why would they go after us?) 4 © nCircle 2012 All rights reserved. nCircle Company Confidential
Poll Question In your opinion, does your company understand the risk of cyber attack?  Yes  No 5 © nCircle 2012 All rights reserved. nCircle Company Confidential
Are you at risk? • Perception: According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85% of small business owners believe their companies are less of a target for cybercrime than large companies. • Reality: Hackers and computer criminals are aiming directly at small and midsize businesses. Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts. 6 © nCircle 2012 All rights reserved. nCircle Company Confidential
Small and Mid-size Business is the “sweet spot” • % of SMBs lacking basic defenses against cybercrime: Web filtering 52% Threat training 39% Anti-spam 29% Anti-spyware 22% Firewall 16% Source: Panda Security online survey of 1,400 small and midsize U.S. business 7 © nCircle 2012 All rights reserved. nCircle Company Confidential
More Statistics (and you don’t want to be one) • 79% of victims were targets of opportunity • 96% of attacks were not highly difficult • 94% of all data compromised involved servers • 85% of breaches took weeks or more to discover • 92% of incidents were discovered by a third party • 97% of breaches were avoidable through simple or intermediate controls • 96% of victims subject to PCI DSS had not achieved compliance 8 © nCircle 2012 All rights reserved. nCircle Company Confidential
Poll Question Does your company need to be PCI Compliant?  Yes  No 9 © nCircle 2012 All rights reserved. nCircle Company Confidential
Are you at risk? • Cyberthieves funneled $217K from a convention center in Omaha – Phishy e-mail installed malware that provided access to payroll system and phony employees were added to the payroll – ―Mules‖ collected payroll and remitted the funds to the hackers – Prior to the heist, the center refused many of the security options offered by its bank including a requirement that two employees sign off on every transfer. – ―We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,‖ ―We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.‖ 10 © nCircle 2012 All rights reserved. nCircle Company Confidential
Are you at risk? • $497K stolen from school district in upstate New York – Initial attempt was for $3.8M, but was stopped by the bank – Thieves used malware to gain access to online bank accounts – Loss represents more than 3% of their annual budget of $15M • Cybercrime cost magazine store in Chicago $22,000 – Malware on their POS systems sent customer credit card numbers to Russia where they were used fraudulently. – The source of the leak was traced to the store. – The store had to pay $22K for the forensic investigation required by MasterCard. – The malware was present for over a year before it was discovered. 11 © nCircle 2012 All rights reserved. nCircle Company Confidential
How to begin protecting yourself • Believe in the risk—it’s very real • Convince management of the urgency • Start with some quick wins—really easy! • Great resources: SANS, CIS, NIST, vendors • Consensus Audit Guidelines (The 20 Critical Controls) • PCI Data Security Standard (Essential if you accept credit cards) • It’s a journey, find companions to help you 12 © nCircle 2012 All rights reserved. nCircle Company Confidential
Survey says: The Top Network Vulnerability is … Blank or default passwords nCircle PureCloud benchmark statistics in April showed that eight of the top 10 highest risk vulnerabilities detected on small business networks are related to blank or default passwords. A good password security policy combined with regular vulnerability scans dramatically reduces your risk. 13 © nCircle 2012 All rights reserved. nCircle Company Confidential
Some quick wins  Change your passwords, now, on everything! Make them strong. Never share them, especially privileged ones. (free)  Control remote access services with firewall (free or $)  Use OpenDNS (free or $) to block access to known bad sites  Create your Security Policy: SANS (free), InstantSecurityPolicy.com ($)  Educate users, managers: SANS Securing the Human ($)  Get your roadmap: SANS 20 Critical Controls (free) 14 © nCircle 2012 All rights reserved. nCircle Company Confidential
What are these 20 Critical Controls? • A prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms • Developed by a collaboration of leading security experts and CISOs inside and outside of the government with extensive experience in incident response, penetration testing, and computer forensics • Designed with specific attack scenarios in mind, each Control begins with "How do attackers exploit the lack of this control?“ 15 © nCircle 2012 All rights reserved. nCircle Company Confidential
20 Critical Controls Guiding Principles  Defenses should focus on addressing the most common and damaging attacks occurring today and those anticipated in the near future.  Defenses should be automated where possible.  The Controls should provide specific prioritized guidance for how to minimize the risks. 16 © nCircle 2012 All rights reserved. nCircle Company Confidential
Computer Attacker Activities and Associated Defenses 17 © nCircle 2012 All rights reserved. nCircle Company Confidential
18 © nCircle 2012 All rights reserved. nCircle Company Confidential
1. Inventory of Authorized and Unauthorized Devices Attackers continuously search for new, unpatched systems that can be automatically exploited. You need to know what’s on your network so you can manage what should be there and detect unauthorized devices. • Spiceworks (free) • nmap (free) • Nessus (free or $) • nCircle PureCloud ($) • nCircle IP360 ($) • nCircle CCM ($) – Standardize naming conventions (free) – Maintain an asset inventory with network address, machine name, purpose, asset owner, department (free) 19 © nCircle 2012 All rights reserved. nCircle Company Confidential
2. Inventory of Authorized and Unauthorized Software Unauthorized software is a common source of malware. Authorized software needs to be updated regularly to remediate known vulnerabilities. – Spiceworks (free) – Kaspersky Antivirus ($) – nCircle PureCloud ($) – nCircle IP360 ($) – nCircle CCM ($) – Secunia PSI (free) and CSI ($) 20 © nCircle 2012 All rights reserved. nCircle Company Confidential
3. Secure Configurations for H/W and S/W on servers and workstations Building and maintaining your systems to highly-secure ―best practice‖ standards greatly reduces the attack surface and makes it more difficult for exploits to spread to other systems. Standard system configurations are also easier and cheaper to maintain. – CIS Benchmarks (free) – Microsoft MBSA (free) – Microsoft security policy templates (free) – nCircle Configuration Compliance Manager ($) – Secunia PSI (free) and CSI ($) – NIST 800-53 (free) – Vendor security hardening guidelines (free) 21 © nCircle 2012 All rights reserved. nCircle Company Confidential
10. Continuous Vulnerability Assessment and Remediation New vulnerabilities are discovered every day. You need to continually monitor your network for these vulnerabilities and patch them as quickly as possible. Automated vulnerability scanning tools like nCircle PureCloud can collect a hardware and software inventory in the process, addressing Controls 1 and 2 at the same time. – Microsoft WSUS (free) – Secunia PSI (free), CSI ($) – nCircle PureCloud ($) – nCircle IP360 ($) – Nessus (free or $) 22 © nCircle 2012 All rights reserved. nCircle Company Confidential
Control Zero—the most essential one • Executive Management Support and Commitment to Security • You can’t succeed without this! 23 © nCircle 2012 All rights reserved. nCircle Company Confidential
Your Action Plan – Engage senior management (CIO, CEO, CFO) – Compare your current state to the recommendations of the Critical Controls – Create your security policy – Educate your users about the security policy and the dangers they need to be aware of – Implement some ―quick win‖ Critical Controls within 60 days – Identify additional Controls to be implemented in the next 60 days – Insure that the Controls are integrated into your routine IT processes – Keep improving! 24 © nCircle 2012 All rights reserved. nCircle Company Confidential
Poll Question Which security resources and news sites do you visit regularly? (select all that apply if this is possible)  ISSA – Attend local meetings  InfraGuard – Talk to the FBI about security  SANS NewsBites  Dark Reading  Krebs on Security  Securosis  None of the above 25 © nCircle 2012 All rights reserved. nCircle Company Confidential
Make some friends and know what’s happening • ISSA – Attend local meetings to learn and network (www.issa.org) • InfraGuard – Meet and talk to the FBI about security (www.infraguard.net) • SANS – Everything security, including the Critical Controls (www.sans.org) – SANS NewsBites – just what it says (sans.org/newsletters/newsbites/) • Dark Reading– security news and research (www.darkreading.com) • Krebs on Security – cyber crime news (krebsonsecurity.com) • Securosis – security research and advisories (securosis.com) • NIST Special Publications (csrc.nist.gov/publications/PubsSPs.html) • PCI Data Security Standard (pcisecuritystandards.org/security_standards/) 26 © nCircle 2012 All rights reserved. nCircle Company Confidential
nCircle Solutions for the 20 Critical Controls 27 © nCircle 2012 All rights reserved. nCircle Company Confidential
Questions? 28 © nCircle 2012 All rights reserved. nCircle Company Confidential
29 © nCircle 2012 All rights reserved. nCircle Company Confidential

Recomendados

2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
Dell EMC World
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
Joseph Schorr
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Eric Vanderburg
 
SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015
Dale Butler
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
jaredcarst
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 

Recomendados

2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr TechMT74 - Is Your Tech Support Keeping Up with Your Instr Tech
MT74 - Is Your Tech Support Keeping Up with Your Instr Tech
Dell EMC World
 
Retail security-services--client-presentation
Retail security-services--client-presentationRetail security-services--client-presentation
Retail security-services--client-presentation
Joseph Schorr
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Eric Vanderburg
 
SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015SMi Group's 5th annual Oil & Gas Cyber Security 2015
SMi Group's 5th annual Oil & Gas Cyber Security 2015
Dale Butler
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
jaredcarst
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
Christian Have
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
SurfWatch Labs
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat Gap
Tripwire
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
Eric Vanderburg
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
Liberteks
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
Peter Wood
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
Phil Agcaoili
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Ulf Mattsson
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
EnergySec
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec Way
Symantec
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
EnergySec
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
Niran Seriki, CCISO, CISM
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
Netpluz Asia Pte Ltd
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown Jewels
Doug Landoll
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye, Inc.
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
Dell EMC World
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
360mnbsu
 

Más contenido relacionado

La actualidad más candente

Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat Gap
Tripwire
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
Phil Agcaoili
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
EnergySec
 

La actualidad más candente (20)

Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
 
Retail Security: Closing the Threat Gap
Retail Security: Closing the Threat GapRetail Security: Closing the Threat Gap
Retail Security: Closing the Threat Gap
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security2015 KSU So You Want To Be in Cyber Security
2015 KSU So You Want To Be in Cyber Security
 
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New TargetsLearning from Verizon 2017 Data Breach Investigations Report – The New Targets
Learning from Verizon 2017 Data Breach Investigations Report – The New Targets
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Source Code Security the Symantec Way
Source Code Security the Symantec WaySource Code Security the Symantec Way
Source Code Security the Symantec Way
 
Symantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to MaturitySymantec Data Loss Prevention- From Adoption to Maturity
Symantec Data Loss Prevention- From Adoption to Maturity
 
Building Human Intelligence – Pun Intended
Building Human Intelligence – Pun IntendedBuilding Human Intelligence – Pun Intended
Building Human Intelligence – Pun Intended
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
 
The State of Ransomware 2020
The State of Ransomware 2020The State of Ransomware 2020
The State of Ransomware 2020
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown Jewels
 
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The BreachFireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
FireEye Cyber Defense Summit 2016 Now What - Before & After The Breach
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 

Similar a Security on a budget

Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
OnRamp
 
Why cyber-threats could kill your business transformation
Why cyber-threats could kill your business transformation Why cyber-threats could kill your business transformation
Why cyber-threats could kill your business transformation
Digital Transformation EXPO Event Series
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 

Similar a Security on a budget (20)

MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
Symantec 2011 State of Security Survey Global Findings
Symantec 2011 State of Security Survey Global FindingsSymantec 2011 State of Security Survey Global Findings
Symantec 2011 State of Security Survey Global Findings
 
Protecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software TechnologyProtecting Your IP: Data Security for Software Technology
Protecting Your IP: Data Security for Software Technology
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
How Adopting the Cloud Can Improve Your Security.
How Adopting the Cloud Can Improve Your Security.How Adopting the Cloud Can Improve Your Security.
How Adopting the Cloud Can Improve Your Security.
 
Event Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control SystemsEvent Presentation: Cyber Security for Industrial Control Systems
Event Presentation: Cyber Security for Industrial Control Systems
 
Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)Too Small to Get Hacked? Think Again (Webinar)
Too Small to Get Hacked? Think Again (Webinar)
 
Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...
Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...
Adam Maskatiya - Redefining Security in an Era of Digital Transformation #mid...
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - final
 
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical RisksGathering Intel from the Dark Web to Identify and Prioritize Critical Risks
Gathering Intel from the Dark Web to Identify and Prioritize Critical Risks
 
Why cyber-threats could kill your business transformation
Why cyber-threats could kill your business transformation Why cyber-threats could kill your business transformation
Why cyber-threats could kill your business transformation
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Cybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data EncryptionCybersecurity for Your Law Firm: Data Security and Data Encryption
Cybersecurity for Your Law Firm: Data Security and Data Encryption
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
 

Más de nCircle - a Tripwire Company

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
nCircle - a Tripwire Company
 

Más de nCircle - a Tripwire Company (8)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt nCircle Webinar: Get your Black Belt
nCircle Webinar: Get your Black Belt
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 

Security on a budget

  • 1. Security on a Budget Michael McKay, CISSP, CISA Senior Security Engineer © nCircle 2012. All rights reserved.
  • 2. Overview • Target audience • Are you at risk? • How to begin • Get some quick wins • Your roadmap: the 20 Critical Controls • Developing your action plan 2 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 3. Poll Question How many live IPs do you have on your network?  1- 10  11 - 50  51 – 100  More than 100 3 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 4. Target Audience—does this sound like you? • Small to medium-sized business, schools and government • Up to 500 employees • IT wears many hats • Often don’t have a dedicated Information Security department or person • Primary security tools are firewalls and antivirus • Limited budget for security • Management often doesn’t see security as a necessary investment (why would they go after us?) 4 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 5. Poll Question In your opinion, does your company understand the risk of cyber attack?  Yes  No 5 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 6. Are you at risk? • Perception: According to a recent survey conducted by Visa and the National Cyber Security Alliance, more than 85% of small business owners believe their companies are less of a target for cybercrime than large companies. • Reality: Hackers and computer criminals are aiming directly at small and midsize businesses. Smaller businesses offer a much more attractive target than larger enterprises that have steeled themselves with years of security spending and compliance efforts. 6 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 7. Small and Mid-size Business is the “sweet spot” • % of SMBs lacking basic defenses against cybercrime: Web filtering 52% Threat training 39% Anti-spam 29% Anti-spyware 22% Firewall 16% Source: Panda Security online survey of 1,400 small and midsize U.S. business 7 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 8. More Statistics (and you don’t want to be one) • 79% of victims were targets of opportunity • 96% of attacks were not highly difficult • 94% of all data compromised involved servers • 85% of breaches took weeks or more to discover • 92% of incidents were discovered by a third party • 97% of breaches were avoidable through simple or intermediate controls • 96% of victims subject to PCI DSS had not achieved compliance 8 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 9. Poll Question Does your company need to be PCI Compliant?  Yes  No 9 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 10. Are you at risk? • Cyberthieves funneled $217K from a convention center in Omaha – Phishy e-mail installed malware that provided access to payroll system and phony employees were added to the payroll – ―Mules‖ collected payroll and remitted the funds to the hackers – Prior to the heist, the center refused many of the security options offered by its bank including a requirement that two employees sign off on every transfer. – ―We had declined some of the security measures offered to us, [but if] we had those in place this wouldn’t have happened to us,‖ ―We thought that would be administratively burdensome, and I was more worried about internal stuff, not somebody hacking into our systems.‖ 10 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 11. Are you at risk? • $497K stolen from school district in upstate New York – Initial attempt was for $3.8M, but was stopped by the bank – Thieves used malware to gain access to online bank accounts – Loss represents more than 3% of their annual budget of $15M • Cybercrime cost magazine store in Chicago $22,000 – Malware on their POS systems sent customer credit card numbers to Russia where they were used fraudulently. – The source of the leak was traced to the store. – The store had to pay $22K for the forensic investigation required by MasterCard. – The malware was present for over a year before it was discovered. 11 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 12. How to begin protecting yourself • Believe in the risk—it’s very real • Convince management of the urgency • Start with some quick wins—really easy! • Great resources: SANS, CIS, NIST, vendors • Consensus Audit Guidelines (The 20 Critical Controls) • PCI Data Security Standard (Essential if you accept credit cards) • It’s a journey, find companions to help you 12 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 13. Survey says: The Top Network Vulnerability is … Blank or default passwords nCircle PureCloud benchmark statistics in April showed that eight of the top 10 highest risk vulnerabilities detected on small business networks are related to blank or default passwords. A good password security policy combined with regular vulnerability scans dramatically reduces your risk. 13 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 14. Some quick wins  Change your passwords, now, on everything! Make them strong. Never share them, especially privileged ones. (free)  Control remote access services with firewall (free or $)  Use OpenDNS (free or $) to block access to known bad sites  Create your Security Policy: SANS (free), InstantSecurityPolicy.com ($)  Educate users, managers: SANS Securing the Human ($)  Get your roadmap: SANS 20 Critical Controls (free) 14 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 15. What are these 20 Critical Controls? • A prioritized baseline of information security measures and controls that can be continuously monitored through automated mechanisms • Developed by a collaboration of leading security experts and CISOs inside and outside of the government with extensive experience in incident response, penetration testing, and computer forensics • Designed with specific attack scenarios in mind, each Control begins with "How do attackers exploit the lack of this control?“ 15 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 16. 20 Critical Controls Guiding Principles  Defenses should focus on addressing the most common and damaging attacks occurring today and those anticipated in the near future.  Defenses should be automated where possible.  The Controls should provide specific prioritized guidance for how to minimize the risks. 16 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 17. Computer Attacker Activities and Associated Defenses 17 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 18. 18 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 19. 1. Inventory of Authorized and Unauthorized Devices Attackers continuously search for new, unpatched systems that can be automatically exploited. You need to know what’s on your network so you can manage what should be there and detect unauthorized devices. • Spiceworks (free) • nmap (free) • Nessus (free or $) • nCircle PureCloud ($) • nCircle IP360 ($) • nCircle CCM ($) – Standardize naming conventions (free) – Maintain an asset inventory with network address, machine name, purpose, asset owner, department (free) 19 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 20. 2. Inventory of Authorized and Unauthorized Software Unauthorized software is a common source of malware. Authorized software needs to be updated regularly to remediate known vulnerabilities. – Spiceworks (free) – Kaspersky Antivirus ($) – nCircle PureCloud ($) – nCircle IP360 ($) – nCircle CCM ($) – Secunia PSI (free) and CSI ($) 20 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 21. 3. Secure Configurations for H/W and S/W on servers and workstations Building and maintaining your systems to highly-secure ―best practice‖ standards greatly reduces the attack surface and makes it more difficult for exploits to spread to other systems. Standard system configurations are also easier and cheaper to maintain. – CIS Benchmarks (free) – Microsoft MBSA (free) – Microsoft security policy templates (free) – nCircle Configuration Compliance Manager ($) – Secunia PSI (free) and CSI ($) – NIST 800-53 (free) – Vendor security hardening guidelines (free) 21 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 22. 10. Continuous Vulnerability Assessment and Remediation New vulnerabilities are discovered every day. You need to continually monitor your network for these vulnerabilities and patch them as quickly as possible. Automated vulnerability scanning tools like nCircle PureCloud can collect a hardware and software inventory in the process, addressing Controls 1 and 2 at the same time. – Microsoft WSUS (free) – Secunia PSI (free), CSI ($) – nCircle PureCloud ($) – nCircle IP360 ($) – Nessus (free or $) 22 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 23. Control Zero—the most essential one • Executive Management Support and Commitment to Security • You can’t succeed without this! 23 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 24. Your Action Plan – Engage senior management (CIO, CEO, CFO) – Compare your current state to the recommendations of the Critical Controls – Create your security policy – Educate your users about the security policy and the dangers they need to be aware of – Implement some ―quick win‖ Critical Controls within 60 days – Identify additional Controls to be implemented in the next 60 days – Insure that the Controls are integrated into your routine IT processes – Keep improving! 24 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 25. Poll Question Which security resources and news sites do you visit regularly? (select all that apply if this is possible)  ISSA – Attend local meetings  InfraGuard – Talk to the FBI about security  SANS NewsBites  Dark Reading  Krebs on Security  Securosis  None of the above 25 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 26. Make some friends and know what’s happening • ISSA – Attend local meetings to learn and network (www.issa.org) • InfraGuard – Meet and talk to the FBI about security (www.infraguard.net) • SANS – Everything security, including the Critical Controls (www.sans.org) – SANS NewsBites – just what it says (sans.org/newsletters/newsbites/) • Dark Reading– security news and research (www.darkreading.com) • Krebs on Security – cyber crime news (krebsonsecurity.com) • Securosis – security research and advisories (securosis.com) • NIST Special Publications (csrc.nist.gov/publications/PubsSPs.html) • PCI Data Security Standard (pcisecuritystandards.org/security_standards/) 26 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 27. nCircle Solutions for the 20 Critical Controls 27 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 28. Questions? 28 © nCircle 2012 All rights reserved. nCircle Company Confidential
  • 29. 29 © nCircle 2012 All rights reserved. nCircle Company Confidential