how much security is enough? · intrusion detection system intrusion prevention system desktop...

How much Security is Enough?

Security & Solution

Security & Solution

Security & Solution

What is adequate Security to your Organization?

• What need to be protected?• Why does it need to be protected?• What happened if it is not protected?• What will it cost you?

How to get started?

Audit & Assessment• Identify your business processes• Identify assets that are supporting your business

processes• Identify threats to those assets• Assess your current security measures (Security

assessment)

Output• A risk treatment plan tailored to your

organization need and priority

Example

Company ABC - Distributed workforce- IT Infrastructure

- Messaging- Web- Database- Remote Access

Audit & Assessment of Company ABC

Business process is- Placing of order by Sales personnel- Enquiry by Online customer

Assets that are required by those processes

Placing of order by Sales personnel• Dial-up Server• Web server• Database server• Messaging server• PC / Notebook used by sales personnel

Enquiry by customer• Web server• Internet connection• Database server• Messaging server

Threats identified to those assets

Dial-up server – power, lightning, hackerWeb server – power, worm, hacker,

phishingDatabase server – power, worm, hacker,

disgruntled employeeMessaging server – power, worm, hackerPC – power, worm, virus, hacker, SPAMInternet Access – Power, DDOS

Security assessment

• Security assessment aim is to find vulnerabilities

• Not just on IT infrastructure but also processes

Risk Treatment Plan

• Reduce the risk • Accept the risk• Outsource the risk

Reducing Risk

• Security Policy• Educating your users• Implement Security Products to mitigate risks

SecuritySecurityAwareAware

Network Infra Network Infra

Evolution of Security Tools

FirewallFirewall

Intrusion Intrusion DetectionDetectionSystemSystem

Intrusion Intrusion PreventionPrevention

SystemSystem

DesktopDesktopAntivirusAntivirus

Gateway Gateway AntivirusAntivirus

SPAM SPAM FilteringFiltering

AntivirusAntivirusSuiteSuite

ContentContentFilteringFiltering

BandwidthBandwidthShapingShaping

Deep PacketDeep PacketInspectionInspection

FirewallFirewall

ConsolidatedConsolidatedPerimeter Perimeter

DeviceDevice

Integrated Integrated SecuritySecurity

ApplianceAppliance

Power

• UPS

• Generator

Lightning

• Lightning arrestor

Worm

• Email worm– Anti-virus suite

• Network worm– OS Patching suite

Hacker

• Network based IPS / Host based IPS

• Multi-tier Firewall• VPN• Two factor

Authentication• Wireless Security

Disgruntled Employee

• Authentication• Authorization• Accounting / Tracking• Access control

– Physical– Logical

Virus / SPAM

• Anti-virus suite• Anti-spam suite• Educating users

Customer Internet Mail Statistics

• Total emails received through our gateway = 3,444,992

• SPAM emails = 1,252,243(36.35%)

• Emails with Virus = 177,858(5.16%)

DDOS

• Intrusion prevention systems

• Prevent your network from being flooded

Phising

Protect own staff• Anti-virus suite• IPS• Education

Protect users• Outsourcing

service

Accepting Risk

• Power– Generator

• Phising– Protecting users

Outsourcing risk

• Outsource to insurance company - fire• Outsource to MSP – phishing, spam

Common Security Misconceptions1. My network is not interesting enough to be

attacked.– Worms attack your network and systems not to

steal information from you. But to create havoc and make your computer as a launching pad to attack other network and systems.

2. If the system is working fine, we have not been cracked yet– Are you sure? Security Assessment is the often a

best way to find out whether that’s true.

3. Installing Firewall (or Antivirus or IDS ..) will solve all our problems– “Security is not a product but a process.”– Do you have a clearly define process?

Common Security Misconceptions4. We can't afford the investments to properly secure

our systems.– Security does not necessary means huge

investment, sometimes it only require changes in user mindset and behaviour to secure systems.

– Security assessment help you to identify where you should spend based on your organization priority

5. This website uses SSL, so it must be secured.– Heard of “Phishing”? Maybank2u.com user details

update

Where do I start?• Totally clueless?

– Speak to a reputable Security Solution provider• (example - KKIPCOM)

• Some Idea.. For DYI1. Identify your processes & assets & threats to them2. Do a security assessment & come up with risk treatment plan3. Implement those plan4. Train up your security team & Educate your users5. Monitor your security baseline (from security assessment)6. Sign up for vulnerability email lists7. Monitor patches and patch them religiously8. Do periodic security assessment

� Alternatively� Consider outsourcing

Resources for DYIRead Up! Subscribe to security mailing lists or RSS logs

�SANS Institute: Articles, resources, and vulnerability listings. http://www.sans.org

�Security Focus: Vulnerability listings and home of the Bugtraq mailing list. http://www.securityfocus.com

�CERT: Vulnerability advisories and security articles. http://www.cert.org

�MyCERT: http://www.mycert.mimos.my

�National ICT Security & Emergency Response Centre: http://www.niser.org.my

KKIP Communications Sdn BhdServices

IT and Security Consultancy

ManagedSecurityServices

SecurityMonitoringServices

Professional Services

Thank you

Everyone is welcome to our boothTo see some of the security appliances