A Security hole in an application can cause not only major financial loss but also loss of customer confidence, trust and reputation severely impacting the business. This webinar looks at well-established industry practices to identify and secure applications from breaches while adhering with regulatory compliances.
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Enterprise under attack dealing with security threats and compliance
1. 1
Enterprises under Attack: Dealing with
security threats and compliance
Sponsored by: SPAN Systems Corporation
Produced and Presented by: The Outsourcing Institute
2. 2
The Outsourcing Institute
• Located at outsourcing.com – Over 70,000 Executive Members Globally
• Trends, Best Practices, Case Studies
• Training Through OI University
• Specialize in Low Cost Alternatives for Outsourcing Buyers Needing
Assistance with RFP Development and/or Vendor Selection:
– Outsourcing RFP Builder Software
– Matchmaker Service
• Qualified Demand Generation Programs
• Outsourcing Jobs Opportunities and Recruiting Services Through CMS Inc.
• Local, Intimate and Interactive Outsourcing Road Show
• Sponsorship and New Business Development Opportunities & Programs
For more information contact us at:
info@outsourcing.com or 516-279-6850 ext. 712
4. 4
Topics
Enterprise Security Stature
Enterprise Security Landscape
Value of Enterprise Security
Dealing with Security Threats and Compliances
Application Security
Infrastructure Security
Compliances Validation
Budgeting for Security
5. 5
Enterprise Security Stature
Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK
• Human Errors and systems glitches caused nearly two-thirds of data breaches globally in 2012
• Malicious or criminal attacks are the most costly threats at an average of $157 per compromised record
Source: 2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec, June 2013
• Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities
• By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service
Source: Gartner Top Predictions for 2012: Control Slips Away, Gartner, December 2011
Security is an ever moving Target
63%
23%
15%
9%
41%
15%
7%
4%
Attacked by an
unauthorized outsider
Hit by denial-of-service
attacks
Network penetration by
outsiders
IP and Confidential Data
Theft
Security Breach Statistics – Small Organizations
2012 2011
78%
39%
20%
14%
73%
30%
15% 12%
Attacked by an unauthorized
outsider
Hit by denial-of-service
attacks
Network penetration by
outsiders
IP and Confidential Data
Theft
Security Breach Statistics - Large Organizations
2012 2011
6. 6
Enterprise Security Landscape
Application Security
Enterprises must address Security Threats in order to conduct the business safely
• Injection
• Broken Authentication and Session
Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities
• Unvalidated Redirects and Forwards
Firewall Web server Firewall Application
Server
Database
Server
• Router
• Firewall
• Switch
Host Security
• Patches and Updates
• Services
• Protocols
• Accounts
• Files and Directories
• Shares
• Ports
• Registry
• Auditing and Logging
Network Security
Infrastructure Security
7. 7
Dealing with Security Threats and Compliances
Security is a not a product, but a process.
Pre-Production
Security Testing
Application
Security Tests
Enterprise Security – Approach
Post-Production
Security Testing
Infrastructure
Security Tests
Periodic Security Audits
Compliance Validations
Managed Security
Monitoring and Operations
Establish Enterprise Security Baseline
• Applications Security Testing
• Infrastructure Security Testing
• Compliance Validations
Maintain Baseline Security Stature
• Security Validation across SDLC
• Security Monitoring and Operational Security
• Periodic Security Audits and Compliance Validations
9. 9
Infrastructure Security
The Department of Homeland Security released this map showing the locations of 7,200 key industrial control
systems that appear to be directly linked to the Internet and vulnerable to attack.
http://money.cnn.com/2013/01/09/technology/security/infrastructure-cyberattacks/
http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf
10. 10
Infrastructure Security
• Plan to secure the infrastructure (Network, Servers, Desktops and Mobile)
• Perform Attack Surface Analysis and design a Secure Architecture
• Consider both Internal and External Penetration tests to address internal abuse and external intrusion
• Plan for Operational Security through Managed Security Services such as Unified Threat Management
Elicitate
Security
Requirements
Threat
Modeling and
Attack Surface
Analysis
Vulnerability
Assessment
Penetration
Testing
Ethical
Hacking
Enterprise Network Security
z
Operations Security & Monitoring
Threat
Management
Incident
Management
Log
Management
Security breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage,
lawsuits, downtime, malware propagation and loss of customers.
11. 11
Application Security
About 90% of the applications tested by SPAN revealed at least one HIGH RISK vulnerability
(Source: SPAN Security Testing Metrics)
(Source: SPAN Security Testing Metrics)
Applications Vulnerability Distribution - OWASP Top 10
Vulnerabilities
12. 12
Application Security
• Assess the required Security Level for the application based on the
data sensitivity and threat exposure
• Employ vulnerability management and plan to preempt the
vulnerabilities from occurring. Left Shift from detection to prevention
• Plan for application Security for every release.
• Plan for required level of security verification for the release based
on the quantum and criticality of the change in code
• Ensure that the Security Team has qualified Ethical Hackers, Secure
Programmers and Security Architects
• Ensure to follow methodologies widely accepted by industry such as OWASP
Application Security Verification Standards
• Ensure to plan for testing all the components with identified rigor.
• There is no tool in the industry that can identify all the vulnerabilities.
Leverage on Skilled exploratory testing by ethical hackers along
with the power and speed of the tools
Need is for more secure software, NOT more Security software
Elicitate
Security
Requirements
(Evil Stories)
Threat
Modeling and
Attack Surface
Analysis
Security
Code Review
Vulnerability
Assessment
Penetration
Testing
Ethical
Hacking
Requirements Design Development Deployment
Post-Deployment
Application Security
13. 13
• Establish Compliance Requirements – Regulatory,
Standards and Legal
• Plan for Pre - Audits
• Establish Compliance Metrics Dashboard and keep track
• Perform a Statistical Analysis and Implement Lessons
Learned
Compliance Validation
Example Security Compliance Dashboard
Enterprise Security
Compliances
Physical
Security
• Access
Control &
Management
Application
Security
• Secure Design
• Secure
Development
• Vulnerability
Management
• Periodic
Penetration
Testing
Infrastructure
Security
Process
Security
• Secured Data
Centers
• Threat
Management
• Events and Log
Management
• Incident
Management
• Periodic
Penetration
Testing
• Change Control
Management
• Policies and
Procedures
Source: http://www.isaca.org/
14. 14
Enterprise Security
Security Test Methodology Penetration Testing
Information Gathering
Threat Modeling and
Attack Surface Analysis
Vulnerability Analysis
Exploitation
Advancing
Exploitation
Reporting
Application/System
Security
Network Security
Identity and Access
Control
Physical Security Threat Management
Logs and Event
Management
Incident Management
Requirements
Gathering
Threat ProfilingSecurity Testing
Periodic Testing
Compliance
Validation
It is far preferable to do something NOW to avert and minimize harm before disaster strikes
17. 17
Security Verification Level Selection
The sensitivity of the application is identified based on the sensitivity of the data processed by the application and the
impact on the business by the application.
Identify what is BEST for you; all best practices are contextual
Category Highly Sensitive Moderately Sensitive Low Sensitive
Application exposed over
internet for public
• Threat Modeling & Attack Surface Analysis
• Static Code Analysis
• Security Code Review
• Vulnerability Assessment
• Application Penetration Testing
• Static Code Analysis
• Security Code Review
• Vulnerability Assessment
• Application Penetration Testing
• Static Code Analysis
• Security Code Review
• Vulnerability Assessment
• Application Penetration
Testing
Application exposed to
legitimate users over Intranet
or Dedicated Channels
• Threat Modeling & Attack Surface Analysis
• Static Code Analysis
• Security Code Review
• Application Penetration Testing
• Static Code Analysis
• Security Code Review
• Vulnerability Assessment
• Application Penetration Testing
• Static Code Analysis
• Vulnerability Assessment
19. 19
Budgeting for Security
Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK
Enterprises must plan to protect the brand, attain compliance and avert costly breaches
Protecting other assets (e.g. Cash) from theft
Improving efficiency /cost reduction
Enabling business opportunities
Protecting intellectual property
Business continuity in a disaster situation
Protecting customer information
Preventing downtime and outages
Complying with laws/regulations
Protecting the organisation’s reputation
Maintaining data integrity
Information Security ExpenditureBusiness Drivers for Information Security Expenditure
10%
of IT budget is spent on an average on security
(up from 8% a year ago)
16%
of IT budget is spent on an average on
security, where security is a very high priority
(up from 11% a year ago)
92%
of respondents expect to spend at least the
same on security next year (and 47% expect to
spend more)
20. 20
Value of Enterprise Security
Protect the brand, attain compliance and avert costly breaches.
Save Money and Business
• Avoid the potential penalties due to non-conformance to security compliances
• Avoid the losses due to financial fraud, identity theft, regulatory fines
G
Better Protection of Assets and Business
• Proactively respond to the real world security threats
• Comply to different standards and regulatory compliances
Gain competitive advantage
• Increased TRUST of users and customer
• Avoid Brand Damage, downtime and loss of customer
%
21. 21
Summary
Enterprises are under attack due to continuous discovery of vulnerabilities
Enterprises can deal with security threats and meet the regulatory compliance demands
by employing
• Plan for securing assets
• Assess gaps and establish a baseline security
• Maintain security by employing Application Security, Infrastructure Security and Operations Security measures
• Achieve Compliance by Pre-Audits and continuous management of trend
Protect Business, Save Money and Gain Competitive Advantage by ensuring
Enterprise Security
22. 22Copyright: SPAN Systems Corporation www.spansystems.com 22
SPAN Systems Corporation
U.S. ‘C’ Corporation 1993 incorporated
Wholly owned by EVRY (www.evry.com), a $2.3 Billion Nordic company
Ranked #7 Best IT Places to Work For in India; Historically low attrition
CMMI5, ISO 9001 and ISO 27001 certifications
Strong Relationship Management
Customers range from Fortune 5 to SMEs
23. 23
Poll Questions
Copyright: SPAN Systems Corporation www.spansystems.com
How important is security testing for you
Critical
Very Important
Important
Not Important
Can’t say
Do you have a security solution in place for your enterprise if not would like to
implement one?
Have NO security solution and want to implement immediately
Have a reasonable security solution and want to look at options to strengthen the
solution
Have a very secure solution would not want to make any changes
Have NO security solution and do not want to implement any security measures
24. 24
Thank you for joining
Enterprises under Attack: Dealing with
security threats and compliance
This webinar was sponsored by SPAN Systems Corporation in conjunction with The Outsourcing Institute.
Amit singh,
Partner
Avasant
Vinay Ambekar,
Senior Vice President,
Engineering,
Lavante Inc.
Pramod Grama,
Co-founder and
Executive Vice President,
SPAN Infotech (India) Pvt. Ltd.
Lakshminarasimha
Manjunatha Mohan,
Solution Architect,
SPAN Infotech (India) Pvt. Ltd.
Notas del editor
Webinar Starts at 10:30 PM IST
OI to enter the local start time
00:00 hrs
David and/or Amit to initiate
00:00 hrs + 2 minutes
Key word for next slide = “Next we talk about the speakers…”
00:00 hrs + 4 minutes
Key word for next slide = “Next we talk about the Topics for Discussion…”
00:00 hrs + 6 minutes
Indication for Pramod to take over from David/Amit
Key word for slide change = “I would now ask Pramod to introduce us to Enterprise Security…”
00:00 hrs + 9 minutes
Indication for slide change = “Next we will talk about the Security Landscape
00:00 hrs + 14 minutes
Indication for slide change = “I will now ask LN to take us into the Security Aspects for Enterprises …”
Time for first polling question
00:00 hrs + 18 minutes
Indication for slide change = “Now we can look into the Infrastructure Data Breach data…”
00:00 hrs + 21 minutes
Indication for slide change = “A birds eye view of vulnerability map depicted by Homeland Security …”
00:00 hrs + 22 minutes
Indication for slide change = “Lets now talk about Infrastructure Security…”
00:00 hrs + 25 minutes
Indication for slide change = “Lets now talk about Application Security…”
00:00 hrs + 26 minutes
Indication for slide change = “Coming to Application Security Landscape…”
00:00 hrs + 31 minutes
Indication for slide change = “Coming to compliances…”
00:00 hrs + 34 minutes
Indication for slide change = “The components of Enterprise Security…”
00:00 hrs + 39 minutes
Indication for slide change = “Planning for Security…”
Seeded Question: At our organization we use a commercial tool to do all the vulnerability scanning, is it not enough to secure the enterprise?
00:00 hrs + 41 minutes
Indication for slide change = “Levels of Security …”
00:00 hrs + 43 minutes
Indication for slide change = “Operation View of Security …”
00:00 hrs + 44 minutes
Indication for slide change = “I now request Vinay to talk about The budgets and Value for securing IT assets…”
Time for second polling question
00:00 hrs + 46 minutes
Indication for slide change = “Coming to the value of security testing…”
00:00 hrs + 49 minutes
Indication for slide change = “Pramod will now conclude with a summary of the discussion…”
00:00 hrs + 50 minutes
Indication for slide change = “We are now onto Q & A…”
David / Amit to take over. They can talk about the results of the poll responses.