Enterprise under attack dealing with security threats and compliance
Download as PPTX, PDF•1 like•904 views
The document addresses the increasing security threats enterprises face due to continuous vulnerabilities, highlighting the significant financial impact and compliance demands. It emphasizes the need for enterprises to implement a comprehensive security strategy, including application security, infrastructure security, and operational security, while maintaining compliance through audits and management of security trends. By adopting these measures, organizations can protect their assets, save costs, and gain a competitive advantage in the market.
Enterprise under attack dealing with security threats and compliance
- 1. 1 Enterprises under Attack: Dealing with security threats and compliance Sponsored by: SPAN Systems Corporation Produced and Presented by: The Outsourcing Institute
- 2. 2 The Outsourcing Institute • Located at outsourcing.com – Over 70,000 Executive Members Globally • Trends, Best Practices, Case Studies • Training Through OI University • Specialize in Low Cost Alternatives for Outsourcing Buyers Needing Assistance with RFP Development and/or Vendor Selection: – Outsourcing RFP Builder Software – Matchmaker Service • Qualified Demand Generation Programs • Outsourcing Jobs Opportunities and Recruiting Services Through CMS Inc. • Local, Intimate and Interactive Outsourcing Road Show • Sponsorship and New Business Development Opportunities & Programs For more information contact us at: [email protected] or 516-279-6850 ext. 712
- 3. 3 Today’s Speakers www.spansystems.com 3Copyright: SPAN Systems Corporation Amit Singh, Partner Avasant Vinay Ambekar, Senior Vice President, Engineering, Lavante Inc. Pramod Grama, Co-founder and Executive Vice President, SPAN Infotech (India) Pvt. Ltd. Lakshminarasimha Manjunatha Mohan, Solution Architect, SPAN Infotech (India) Pvt. Ltd.
- 4. 4 Topics Enterprise Security Stature Enterprise Security Landscape Value of Enterprise Security Dealing with Security Threats and Compliances Application Security Infrastructure Security Compliances Validation Budgeting for Security
- 5. 5 Enterprise Security Stature Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK • Human Errors and systems glitches caused nearly two-thirds of data breaches globally in 2012 • Malicious or criminal attacks are the most costly threats at an average of $157 per compromised record Source: 2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec, June 2013 • Through 2016, the financial impact of cybercrime will grow 10% per year, due to the continuing discovery of new vulnerabilities • By 2016, 40% of enterprises will make proof of independent security testing a precondition for using any type of cloud service Source: Gartner Top Predictions for 2012: Control Slips Away, Gartner, December 2011 Security is an ever moving Target 63% 23% 15% 9% 41% 15% 7% 4% Attacked by an unauthorized outsider Hit by denial-of-service attacks Network penetration by outsiders IP and Confidential Data Theft Security Breach Statistics – Small Organizations 2012 2011 78% 39% 20% 14% 73% 30% 15% 12% Attacked by an unauthorized outsider Hit by denial-of-service attacks Network penetration by outsiders IP and Confidential Data Theft Security Breach Statistics - Large Organizations 2012 2011
- 6. 6 Enterprise Security Landscape Application Security Enterprises must address Security Threats in order to conduct the business safely • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration • Sensitive Data Exposure • Missing Function Level Access Control • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities • Unvalidated Redirects and Forwards Firewall Web server Firewall Application Server Database Server • Router • Firewall • Switch Host Security • Patches and Updates • Services • Protocols • Accounts • Files and Directories • Shares • Ports • Registry • Auditing and Logging Network Security Infrastructure Security
- 7. 7 Dealing with Security Threats and Compliances Security is a not a product, but a process. Pre-Production Security Testing Application Security Tests Enterprise Security – Approach Post-Production Security Testing Infrastructure Security Tests Periodic Security Audits Compliance Validations Managed Security Monitoring and Operations Establish Enterprise Security Baseline • Applications Security Testing • Infrastructure Security Testing • Compliance Validations Maintain Baseline Security Stature • Security Validation across SDLC • Security Monitoring and Operational Security • Periodic Security Audits and Compliance Validations
- 8. 8 Infrastructure Security Source: http://hackmageddon.com Threats + Motives + Tools and Techniques + Vulnerabilities = Attack
- 9. 9 Infrastructure Security The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems that appear to be directly linked to the Internet and vulnerable to attack. http://money.cnn.com/2013/01/09/technology/security/infrastructure-cyberattacks/ http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Oct-Dec2012.pdf
- 10. 10 Infrastructure Security • Plan to secure the infrastructure (Network, Servers, Desktops and Mobile) • Perform Attack Surface Analysis and design a Secure Architecture • Consider both Internal and External Penetration tests to address internal abuse and external intrusion • Plan for Operational Security through Managed Security Services such as Unified Threat Management Elicitate Security Requirements Threat Modeling and Attack Surface Analysis Vulnerability Assessment Penetration Testing Ethical Hacking Enterprise Network Security z Operations Security & Monitoring Threat Management Incident Management Log Management Security breaches lead directly to financial fraud, identity theft, regulatory fines, brand damage, lawsuits, downtime, malware propagation and loss of customers.
- 11. 11 Application Security About 90% of the applications tested by SPAN revealed at least one HIGH RISK vulnerability (Source: SPAN Security Testing Metrics) (Source: SPAN Security Testing Metrics) Applications Vulnerability Distribution - OWASP Top 10 Vulnerabilities
- 12. 12 Application Security • Assess the required Security Level for the application based on the data sensitivity and threat exposure • Employ vulnerability management and plan to preempt the vulnerabilities from occurring. Left Shift from detection to prevention • Plan for application Security for every release. • Plan for required level of security verification for the release based on the quantum and criticality of the change in code • Ensure that the Security Team has qualified Ethical Hackers, Secure Programmers and Security Architects • Ensure to follow methodologies widely accepted by industry such as OWASP Application Security Verification Standards • Ensure to plan for testing all the components with identified rigor. • There is no tool in the industry that can identify all the vulnerabilities. Leverage on Skilled exploratory testing by ethical hackers along with the power and speed of the tools Need is for more secure software, NOT more Security software Elicitate Security Requirements (Evil Stories) Threat Modeling and Attack Surface Analysis Security Code Review Vulnerability Assessment Penetration Testing Ethical Hacking Requirements Design Development Deployment Post-Deployment Application Security
- 13. 13 • Establish Compliance Requirements – Regulatory, Standards and Legal • Plan for Pre - Audits • Establish Compliance Metrics Dashboard and keep track • Perform a Statistical Analysis and Implement Lessons Learned Compliance Validation Example Security Compliance Dashboard Enterprise Security Compliances Physical Security • Access Control & Management Application Security • Secure Design • Secure Development • Vulnerability Management • Periodic Penetration Testing Infrastructure Security Process Security • Secured Data Centers • Threat Management • Events and Log Management • Incident Management • Periodic Penetration Testing • Change Control Management • Policies and Procedures Source: http://www.isaca.org/
- 14. 14 Enterprise Security Security Test Methodology Penetration Testing Information Gathering Threat Modeling and Attack Surface Analysis Vulnerability Analysis Exploitation Advancing Exploitation Reporting Application/System Security Network Security Identity and Access Control Physical Security Threat Management Logs and Event Management Incident Management Requirements Gathering Threat ProfilingSecurity Testing Periodic Testing Compliance Validation It is far preferable to do something NOW to avert and minimize harm before disaster strikes
- 15. 15 Enterprise Application Security Plan
- 16. 16 Enterprise Compliance Validation Plan
- 17. 17 Security Verification Level Selection The sensitivity of the application is identified based on the sensitivity of the data processed by the application and the impact on the business by the application. Identify what is BEST for you; all best practices are contextual Category Highly Sensitive Moderately Sensitive Low Sensitive Application exposed over internet for public • Threat Modeling & Attack Surface Analysis • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing Application exposed to legitimate users over Intranet or Dedicated Channels • Threat Modeling & Attack Surface Analysis • Static Code Analysis • Security Code Review • Application Penetration Testing • Static Code Analysis • Security Code Review • Vulnerability Assessment • Application Penetration Testing • Static Code Analysis • Vulnerability Assessment
- 18. 18 Operational View of Security Testing Security Testing – Operational Overview Pre Production Security Testing Production Security Testing Automated Static Code Analysis -Security Manual Security Code Review StaticSecurity Testing Automated Vulnerability Scanning Penetration Testing DynamicSecurity Testing Ethical Hacking Compliance Validation Security Monitoring ThreatModelingandAttack SurfaceAnalysis
- 19. 19 Budgeting for Security Source: 2013 INFORMATION SECURITY BREACHES SURVEY - Published by The Department for Business, Innovation and Skills (BIS), UK Enterprises must plan to protect the brand, attain compliance and avert costly breaches Protecting other assets (e.g. Cash) from theft Improving efficiency /cost reduction Enabling business opportunities Protecting intellectual property Business continuity in a disaster situation Protecting customer information Preventing downtime and outages Complying with laws/regulations Protecting the organisation’s reputation Maintaining data integrity Information Security ExpenditureBusiness Drivers for Information Security Expenditure 10% of IT budget is spent on an average on security (up from 8% a year ago) 16% of IT budget is spent on an average on security, where security is a very high priority (up from 11% a year ago) 92% of respondents expect to spend at least the same on security next year (and 47% expect to spend more)
- 20. 20 Value of Enterprise Security Protect the brand, attain compliance and avert costly breaches. Save Money and Business • Avoid the potential penalties due to non-conformance to security compliances • Avoid the losses due to financial fraud, identity theft, regulatory fines G Better Protection of Assets and Business • Proactively respond to the real world security threats • Comply to different standards and regulatory compliances Gain competitive advantage • Increased TRUST of users and customer • Avoid Brand Damage, downtime and loss of customer %
- 21. 21 Summary Enterprises are under attack due to continuous discovery of vulnerabilities Enterprises can deal with security threats and meet the regulatory compliance demands by employing • Plan for securing assets • Assess gaps and establish a baseline security • Maintain security by employing Application Security, Infrastructure Security and Operations Security measures • Achieve Compliance by Pre-Audits and continuous management of trend Protect Business, Save Money and Gain Competitive Advantage by ensuring Enterprise Security
- 22. 22Copyright: SPAN Systems Corporation www.spansystems.com 22 SPAN Systems Corporation U.S. ‘C’ Corporation 1993 incorporated Wholly owned by EVRY (www.evry.com), a $2.3 Billion Nordic company Ranked #7 Best IT Places to Work For in India; Historically low attrition CMMI5, ISO 9001 and ISO 27001 certifications Strong Relationship Management Customers range from Fortune 5 to SMEs
- 23. 23 Poll Questions Copyright: SPAN Systems Corporation www.spansystems.com How important is security testing for you Critical Very Important Important Not Important Can’t say Do you have a security solution in place for your enterprise if not would like to implement one? Have NO security solution and want to implement immediately Have a reasonable security solution and want to look at options to strengthen the solution Have a very secure solution would not want to make any changes Have NO security solution and do not want to implement any security measures
- 24. 24 Thank you for joining Enterprises under Attack: Dealing with security threats and compliance This webinar was sponsored by SPAN Systems Corporation in conjunction with The Outsourcing Institute. Amit singh, Partner Avasant Vinay Ambekar, Senior Vice President, Engineering, Lavante Inc. Pramod Grama, Co-founder and Executive Vice President, SPAN Infotech (India) Pvt. Ltd. Lakshminarasimha Manjunatha Mohan, Solution Architect, SPAN Infotech (India) Pvt. Ltd.
Editor's Notes
- #2: Webinar Starts at 10:30 PM IST OI to enter the local start time 00:00 hrs David and/or Amit to initiate
- #3: 00:00 hrs + 2 minutes Key word for next slide = “Next we talk about the speakers…”
- #4: 00:00 hrs + 4 minutes Key word for next slide = “Next we talk about the Topics for Discussion…”
- #5: 00:00 hrs + 6 minutes Indication for Pramod to take over from David/Amit Key word for slide change = “I would now ask Pramod to introduce us to Enterprise Security…”
- #6: 00:00 hrs + 9 minutes Indication for slide change = “Next we will talk about the Security Landscape
- #7: 00:00 hrs + 14 minutes Indication for slide change = “I will now ask LN to take us into the Security Aspects for Enterprises …” Time for first polling question
- #8: 00:00 hrs + 18 minutes Indication for slide change = “Now we can look into the Infrastructure Data Breach data…”
- #9: 00:00 hrs + 21 minutes Indication for slide change = “A birds eye view of vulnerability map depicted by Homeland Security …”
- #10: 00:00 hrs + 22 minutes Indication for slide change = “Lets now talk about Infrastructure Security…”
- #11: 00:00 hrs + 25 minutes Indication for slide change = “Lets now talk about Application Security…”
- #12: 00:00 hrs + 26 minutes Indication for slide change = “Coming to Application Security Landscape…”
- #13: 00:00 hrs + 31 minutes Indication for slide change = “Coming to compliances…”
- #14: 00:00 hrs + 34 minutes Indication for slide change = “The components of Enterprise Security…”
- #15: 00:00 hrs + 39 minutes Indication for slide change = “Planning for Security…” Seeded Question: At our organization we use a commercial tool to do all the vulnerability scanning, is it not enough to secure the enterprise?
- #16: 00:00 hrs + 40 minutes Indication for slide change = “Compliance Planning…”
- #17: 00:00 hrs + 41 minutes Indication for slide change = “Levels of Security …”
- #18: 00:00 hrs + 43 minutes Indication for slide change = “Operation View of Security …”
- #19: 00:00 hrs + 44 minutes Indication for slide change = “I now request Vinay to talk about The budgets and Value for securing IT assets…” Time for second polling question
- #20: 00:00 hrs + 46 minutes Indication for slide change = “Coming to the value of security testing…”
- #21: 00:00 hrs + 49 minutes Indication for slide change = “Pramod will now conclude with a summary of the discussion…”
- #22: 00:00 hrs + 50 minutes Indication for slide change = “We are now onto Q & A…” David / Amit to take over. They can talk about the results of the poll responses.