The Top 10 things you must do to protect security systems from cyber a7acks DaveTysonCPP,CISSP,MBA
Dave’sBio
• 16YearsinPhysicalSecurityIndustry• ExecuAve
ProtecAon• InvesAgaAons• SecurityOfficers• Security
Systems• ChiefSecurity
Officer
• 20YearsinCyberSecurityIndustry• Chief
InformaAonSecurityOfficer
• CyberSecurityConsultant
• VulnerabilityTesAngCompanyOwner
• IndustryExperience&CredenAals• CerAfiedProtecAonProfessional• CerAfiedInformaAonSystemsSecurity
Professional• MBA,DigitalTechnologyMgt.• 2015PresidentASISInternaAonal
Agenda • LevelSeRng• HowCyberaTacksarecarriedout• Top10MustdoacAviAes
Why?
Ø 1in101emailsinmalicious
Ø 32%ofemailisactuallycleanenoughfordelivery
How?
• Itwasinsecuretostartwith• Itwasinstalledpoorly• Itwasn’tmaintainedofmonitoredcorrectly
What
• Interconnec6vity• Complexity
• It’saweakestlinkdiscipline
1. Doyouhaverequirementsforsecuringthetoolorsystem?
2. Diditstartsecure?3. Wasitinstalledwithasecuredesign?4. HavetheintegraAonpointsbeingconsidered?5. Isittestedforsecuritybeforegoinglive?6. Areallthebasicscovered?7. Howwillyouknowifthesystemisviolated?8. Whoisgoingtomonitorthesystemortoolfor
variance?9. Howwillitbemaintained?10. Usesecurityintelligencetounderstandyour
adversary’sapproach
Top10List
#1 - Do you have requirements for securing the tool or system?
• SecurityrequirementsmustbedevelopedifyouwanttoletthetechnicalteamknowyourexpectaAons!
#2 - Did it start secure?
• BeyondtheVendorstatements!
• Whatassuranceleveldoyourequire?
#3 - Was it installed with a secure design? • Wastheadocumenteddesigncreatedbyanexpert?
• Didthesecurityrequirementsmakeitintothedesign?
• Wasitinstalledaccordingtothedesign?
#4 - Have the integraHon points being considered?
• Forsystemsthatwillbeintegratedortalkedto,havethesecurityissuesbeenconsidered?
#5 - Is it tested for security before going live?
• Measure6Ames,cutonce!
• NoscoperestricAons!
• TesAngcriteriashouldbeaddedintorequirementsdocument!
#6 - Are all the basics covered?
• Doyouknowallwhowillhaveaccess?Eveninanemergency!
• Arethelockoutscomplete?• IstheredocumentaAon?
• Istrainingincluded?
#7 - How will you know if the system is violated?
• WhatdoesanaTacklooklikeforthissystem?
• Whatisthebaseline,whatdoesnormallooklike?
#8 - Who is going to monitor the system or tool for variance?
• Whowillmonitor?• WhatareescalaAonpaths?• WhataboutreporAng?
#9 - How will it be maintained?
• Whowillpatchandupdateit?
• Whataboutendoflifeandreplacement?
• Securitydisposal?
#10 - Use security intelligence to understand your adversary’s
approach
• Knowthyenemy!
Summary • Plantosucceed• Workthetop10listataminimum
• Decidehowmuchriskisacceptable
• Doorwaytothedatanetwork
[email protected]@cisoinsightshTps://www.facebook.com/cisoinsights/www.cybereasylearning.com
Top Related