Security Essentials
-
Upload
ashley-deuble -
Category
Technology
-
view
204 -
download
1
Transcript of Security Essentials
SECURITY ESSENTIALShttps://au.linkedin.com/in/ashleydeuble
BAD STUFF HAPPENS ..
ORGANISATIONS CAN BE TIGHT ..
• There are many reasons why there is no cash for a security program
• We don’t have anything that anyone would want?
• We’ve never been hacked!
• What do we get in return?
• We have other pressing priorities .. Get back to work!
YOU CAN DO IT!• Start off with the basics and show that it has some business value
• Implement policies – have a security position• Patch you systems and applications regularly• Run anti-virus• Limit the use of privileged access• Backups & recovery processes• Incident response• Security awareness
POLICIES/SECURITY POSITION• Grab some template policies and modify them suit your organisation
• Have a security statement (e.g. “We take security seriously blah blah blah”)• Have an acceptable use policy
• Refer to existing frameworks for guidance• ISO27001/2• IS18• NIST• COBIT• PCI DSS
PATCH YOUR SYSTEMS• According to CNN Money – In 2015, 90% of attacks leveraged old
vulnerabilities that already had patches available
• Use free tools to patch your Windows systems – Windows Server Update Services (WSUS)
• Set Windows desktop machines to automatically install updates if you can’t use a patching tool
• Java and Flash are evil!! Patch regularly or remove if possible
ANTI-VIRUS
• Anti-virus is dead ?!?
• Symantec reported 317 million new malware samples were seen in 2014
• Microsoft Security Essentials/Windows Defender
PRIVILEGED ACCESS• Principle of least access
• Limiting access to the minimal level that will allow normal functioning• Often user error is the cause of incidents & additional work• Do you need to browse Facebook as an administrator to your organisation?
• 2016 Mandiant M-Trends report discussed a case where an attacker obtained admin access and spread ransomware through Group Policy
BACKUP & RECOVERY• Determine what your critical business systems and information are
• Back up regularly and test often
• Periodically review and ensure all critical business data is backed up
• Encrypt your backups if they contain sensitive data
• Think about business continuity and disaster recovery (short & long term outages)
INCIDENT RESPONSE• Have a plan ready for when it all goes bad
• Your plan could be to have someone else do it!
• Keep regular contacts with law enforcement, AusCERT, Cert Australia etc.
• Maybe put a 3rd party on a retainer for IR & investigations
SECURITY AWARENESS• We’re all human .. That’s why we’re targets
• Inform the users what security means to the organisation
• Relate it back to your security policies and guidelines
• Tell them what to do if they make a mistake or suspect a weakness
• Conduct it regularly and for all new users
RESOURCES• Security Policy
• SANS - https://www.sans.org/security-resources/policies• CSO - http://
www.csoonline.com/article/3019126/security/security-policy-samples-templates-and-tools.html
• Security Frameworks• ISO 27001 - http://www.iso27001security.com/• ISACA COBIT 5 - http://
www.isaca.org/cobit/pages/cobit-5-framework-product-page.aspx• PCI DSS - https://www.pcisecuritystandards.org/pci_security/• NIST Cybersecurity Framework - http://www.nist.gov/cyberframework/
RESOURCES• Patching Systems
• Microsoft WSUS - https://www.microsoft.com/en-au/download/details.aspx?id=5216
• Red Hat Satellite - https://www.redhat.com/en/technologies/linux-platforms/satellite
• Antivirus• Microsoft Security Essentials/Windows Defender - http://
windows.microsoft.com/en-AU/windows/security-essentials-download
RESOURCES• Mandiant M-Trends 2016 report
• https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf
• Incident Response• Count Upon Security (with links to supplementary materials) -
http://countuponsecurity.com/2012/12/21/computer-security-incident-handling-6-steps/
• SANS Incident Handlers Handbook Whitepaper - https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
RESOURCES
• Security Awareness• NIST: Building an Information Technology Security Awareness and Training
Program - http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf• SANS Securing the Human (look in the resources area) -
http://securingthehuman.sans.org/• PCI Best practices for implementing a security awareness program - https://
www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf