G-4 Fraser Technology Security Presentation · 2016-06-18 · Virtualization • One option –Use...
Transcript of G-4 Fraser Technology Security Presentation · 2016-06-18 · Virtualization • One option –Use...
Technology Security:27th Annual Accounting Show Seminar
Chris Fraser: Consulting Services Manager
Infinity Technology Solutions
September 21, 2012
Quick Poll
Agenda
• Know your Risks
• Cloud and Security
• Virtualization
• Smartphones/Tablets
• Mobile Devices / BYOD
• Social Media
• Next Steps (Including DR)
Know Your Risks – Why Cloud
• Fires, Floods, Hurricanes, Power Outages
• Only 6% of companies that suffer catastrophic data loss fully recover
• 43% never reopen
• 51% close within 2 years of the disaster
• Advantage: Cloud vs. Premise-based
Statistics compiled from 2005 Gartner Group Report
Leverage the Cloud
• Connect from anywhere (but so can the bad guys)
• Cloud providers will add further redundancy with geographically dispersed data centers
• Physical security of data centers is simply not affordable to SMBs on your own ($$$)
• Power Protection
• Fire Protection
• Temperature and Humidity Controls
• Physical Security
• Data Security
What is the Cloud
• Virtual Server Hosting
• SasS (Software as a Service) (ie QB Online)
Co-location Services
Website Hosting
Application Hosting
Hosted Exchange
Hosted SharePoint
What about Cloud Problems?
• High profile cases in the news
• In the Summer of 2012 nearly half a million email addresses and passwords of Yahoo account holders were published online. In June, more than six million passwords for the professional social networking service LinkedIn were published online. Days later music website Last.fm warned users of a potential password theft. Then Drop box…
What aboutCloud Security?
• Addresses Risk of Complacency
• Just pay someone else to worry about it, right?
• Lower probability of occurrence if done right
• Higher profile disruption – local server crash doesn’t make the news
• Different Threats – Update your risk assessment
Great Quote:
“Trust but Verify”
Cloud Security
• Cloud computing security (sometimes referred to simply as "cloud security") is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
• Source: http://en.wikipedia.org/wiki/Cloud_computing_security
Passwords Protected by Hash?
• The passwords often stolen in “hashed” form, meaning some computing work is required to convert them back into usable passwords.
• Yet…By Wednesday afternoon the hackers said they had already recovered hundreds of thousands.
• Source: http://www.telegraph.co.uk/technology/news/9316218/LinkedIn-hacker-also-stole-1.5m-passwords-from-dating-site-eHarmony.html
Know Your Security
• COBIT
• SOC 2 (SAS 70)
• Controls such as
• Data Encryption
• 2 factor authentication
• (can use the smartphone)
• Monitoring
Tips for selecting for Cloud Vendors
• Do they have their Service Level Agreements?
• What type of encryption is used to transmit and store data?
• What are the credentials of the data center?
• Ask for the SOC2 report, and any other 3rd party audits
• What regular security testing do they perform?
• Bandwidth limits? Breach History? Training
Dropbox Response
• Dropbox will now offer two-factor authentication for members, giving the option of using two forms of identity before access to an account is granted. The company was also adding new automated systems to monitor suspicious activity and a new page allowing members to see all active logins on their account.
Virtualization
• This is BIG!
• Virtualization adds a low-level software layer that allows multiple, even different operating systems and applications to run simultaneously on a host
• Can move physical server to virtual, No longer directly tied to physical equipment
• Competition:
• VMware
• Microsoft Hyper-V Server 2012
Virtualization
• One option – Use it for Disaster Recovery
• Local/Onsite Virtualization
• Stored images of the server environment on the local device which can be mounted following hardware failure or disaster bringing critical systems up and running.
• Off-site Virtualization (Cloud)
• Images of the server environment which are stored at off-site data centers and can be mounted following hardware failure or disaster to bring critical systems up and running.
Leverage the Cloud
• With a major disaster, there may not be any equipment to restore to. Those backups are useless!
• Cloud providers also provide valuable virtualization features
• Offsite Virtualization allows for the use of servers remotely
• Server images that are backed up offsite can be fully virtualized within hours, or less
• Access to your data is available with an Internet connection only
Virtualization Security
• secure all elements of a full virtualization solution and maintain their security;
• restrict and protect administrator access to the virtualization solution;
• ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and
• carefully plan the security for a full virtualization solution before installing, configuring and deploying it.
• http://www.nist.gov/itl/csd/virtual-020111.cfm
Your Biggest Risk
•No Policy
Smartphones/Tablets
• Getting smarter…it’s a mobile computer
• iPad and competitors
• New iPhone 5
• Android
• Samsung Galaxy S III
• Secure it
• Use a password
• Track it – catch a thief
• Encrypt it
Mobile Devices / BYOD
• “Bring Your Own Device” - You can’t stop it
• Allows your employees to be more connected
• If the device is not owned by the company, what rights do you have?
• How do you know if its safe to bring into your network?
• Demand passwords and encryption
• Policy to allow company to anything company related from the device
Mobile Device Risks
• Human Error – We love and trust our employees… Until we don’t.
• Unintentional Threats
• Accidental File Deletion
• Failure to Backup
• Accidental Infection
• Device Loss
• Location Data – good and bad
Social Media
• Know your risks
• Rapidly changing
• Facebook owns everything you post
• SEO
Update your DR Plan
• A Disaster Recovery (DR) Plan is a document detailing how you will respond to a disaster. Can, and should, be an extensive document
• New technologies change the old DR plan
• At a minimum, it should include:
• Full technical documentation
• List of vendor contacts and any support agreements
• Onsite and Offsite backup solution
• Detailed recovery steps based on different disaster levels
• Test it!
Managed Services
• Best Practice for new technologies: Managed IT Service Providers
• Expertise in changing arena (IT)
• Option that Ensures Alignment of Interests
• Best ‘Bang for the Buck’
• Scalable
• Fixed Cost for Unlimited Support
• Provide Fortune 100 Grade Support for Price that SMB Can Afford
Security Tip
• Your take away from today:
• Improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk
• Password complexity matters
• Don’t keep your password static (Change every # days/months)
What are the Next Steps?
• Develop a policy and plan – even if it is brief
• Adapt to new technologies
• Ensure that a reliable security is in place
• Ensure that critical data and systems have propercontrols
• Plan for BYOD devices
For CPAs
• FICPA Business Technology Section
• CITP Credential
CITP Credential
• A Certified Information Technology Professional ( CITP) is a Certified Public Accountant recognized for his or her unique ability to provide business insight by leveraging knowledge of information relationships and supporting technologies. The CITP credential focuses on information management and technology assurance, making a CPA among the most trusted business advisor.
Distinguish yourself from other information management and technology assurance professionals. Only CPAs can be CITPs, allowing CITPs to capitalize on profession’s trusted reputation and helping them to differentiate themselves from other professionals in the marketplace.
CITP Body of Knowledge
IT AUDIT AND ATTEST SERVICES
INFORMATION CONTROL AND ASSURANCE (on financial statements, a segment, or operations)
Summary Descr.
Specific Application Related AICPA Initiatives Market Impact/ Trend
Types - Fin. Stmt Audit
- SAS 70s
- Trust Services
- Privacy
- Peer Review
- Risk-Based Auditing Stds (SASs)
- Stmt on Auditing Stds (SASs)
- Exposure drafts
- PCAOB & SEC
- AICPA ASB
Internal
Control
- Sarbanes Oxley
- COSO, CoBIT
- Center of Audit Quality - PCAOB & SEC
- Economic crisis
Fraud - Digital Evidence
- SAS 99
- Forensic Valuation Svcs
- Certified in Fin. Forensics (CFF)
- Stmt on Auditing Stds (SASs)
- Economic crisis
- Computer Forensics
Risk
Assessment
- Risk-based auditing - Risk-Based Auditing Stds (SASs)
- Center of Audit Quality
- PCPS Firm Management
- AICPA ASB
- Risk Management
IT General
Controls
- IT Audit/ Compliance
- Governance
- Security
- Risk-Based Auditing Stds (SASs)
- Center of Audit Quality
- AICPA ASB
Auditing
Techniques
- App. Testing
- CAATTs
- Data Analytics
- Forensic Valuation Svcs
- Certified in Fin. Forensics (CFF)
- Center of Audit Quality
- Continuous Auditing
Assessment
of IT
Controls
- Deficiency/ Mat. Weakness
- Unqualified/ Qual. Opinion
- Risk-Based Auditing Stds (SASs)
- Center of Audit Quality
- PCAOB & SEC
- AICPA ASB
AICPA, Certified Information Technology Professional Credential - Informatio
Version: July 2009
Thank You
Chris Fraser, CPA, CITP
Consulting Services Manager
Infinity Technology Solutions
infinityIT.com
Which is Scarier?