3. ORGANISATIONS CAN BE TIGHT ..
• There are many reasons why there is no cash for a security program
• We don’t have anything that anyone would want?
• We’ve never been hacked!
• What do we get in return?
• We have other pressing priorities .. Get back to work!
4. YOU CAN DO IT!
• Start off with the basics and show that it has some business value
• Implement policies – have a security position
• Patch you systems and applications regularly
• Run anti-virus
• Limit the use of privileged access
• Backups & recovery processes
• Incident response
• Security awareness
5. POLICIES/SECURITY POSITION
• Grab some template policies and modify them suit your organisation
• Have a security statement (e.g. “We take security seriously blah blah blah”)
• Have an acceptable use policy
• Refer to existing frameworks for guidance
• ISO27001/2
• IS18
• NIST
• COBIT
• PCI DSS
6. PATCH YOUR SYSTEMS
• According to CNN Money – In 2015, 90% of attacks leveraged old vulnerabilities
that already had patches available
• Use free tools to patch your Windows systems – Windows Server Update Services
(WSUS)
• Set Windows desktop machines to automatically install updates if you can’t use a
patching tool
• Java and Flash are evil!! Patch regularly or remove if possible
7. ANTI-VIRUS
• Anti-virus is dead ?!?
• Symantec reported 317 million new malware samples were seen in 2014
• Microsoft Security Essentials/Windows Defender
8. PRIVILEGED ACCESS
• Principle of least access
• Limiting access to the minimal level that will allow normal functioning
• Often user error is the cause of incidents & additional work
• Do you need to browse Facebook as an administrator to your organisation?
• 2016 Mandiant M-Trends report discussed a case where an attacker obtained admin
access and spread ransomware through Group Policy
9. BACKUP & RECOVERY
• Determine what your critical business systems and information are
• Back up regularly and test often
• Periodically review and ensure all critical business data is backed up
• Encrypt your backups if they contain sensitive data
• Think about business continuity and disaster recovery (short & long term outages)
10. INCIDENT RESPONSE
• Have a plan ready for when it all goes bad
• Your plan could be to have someone else do it!
• Keep regular contacts with law enforcement, AusCERT, Cert Australia etc.
• Maybe put a 3rd party on a retainer for IR & investigations
11. SECURITY AWARENESS
• We’re all human .. That’s why we’re targets
• Inform the users what security means to the organisation
• Relate it back to your security policies and guidelines
• Tell them what to do if they make a mistake or suspect a weakness
• Conduct it regularly and for all new users
15. RESOURCES
• Security Awareness
• NIST: Building an Information Technology Security Awareness and Training Program -
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
• SANS Securing the Human (look in the resources area) -
http://securingthehuman.sans.org/
• PCI Best practices for implementing a security awareness program -
https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Imple
menting_Security_Awareness_Program.pdf
Notas del editor
Companies big and small hard to get finding for a security program
No ROI that is visible (cant see when you don’t get hacked right)
Always hear about the big ones (Ashley madison, sony, target etc) .. But it happens here every day as well
No mandatory breach notification
Supply chain
Need to know what security looks like to understand what level of risk is out there