Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins
A little about your presenter: Director of Information Technology for Eurofins 20 years Information Technology experience Previously provided security consultation and audit services for banks and credit unions Appointed to the Architecture Review Board and Security Task Force for the Centers for Medicare and Medicaid, a division of Health and Human Services
Many attacks recently what does that mean? Increased level of publicity = increased notoriety of those performing the attacks For every hacking attempt reported, many more go unreported Even more alarming, many attacks go unnoticed!
Why do we need IT Security, it seems very expensive? First and foremost protect your company and your clients Regulatory requirements
How do I know what my risks are? If you don t know ask for help! Many companies specialize in IT security Biggest areas of exposure are your ingress points start here, just like locking the doors to your home After that, consult the security wheel
Courtesy of Cisco
Corporate Policy Secure Monitor and Respond Test Manage and Improve
Often overlooked Key to success of all other steps Write it down! NIST (National Institute of Standards and Technology) Excellent resource for general guidelines and common practices http://csrc.nist.gov/publications/pubssps.html Don t overlook training and awareness (SP 800-50 of the NIST guidelines)
Who, What, When, and How framework for a policy Who: Determine who has access to your IT systems In addition to employees, this includes vendors, business partners, and clients What: Identify the systems accessible by the list of who Internet sites, intranet, files, databases, email, etc. When: Not all systems need to be accessible all hours or days Perhaps restricting access to only working hours (not used as frequently as people have become more mobile How: Internal, external, remote Are clients accessing systems via websites? How are your employees accessing IT systems?
Document your policies once you have answered the questions to Who, What, When, and How Should be accessible by all employees and auditors Be careful about writing policies and not adhering to them Communicate your policies to your employees Some of the policies will be directly related to, and provide a framework for, an acceptable use policy for employees
Let s talk more about ingress points Internet connections Websites, or web browsing VPN Email (and webmail) Wireless Mobile devices What about physical access? USB drives Where are your servers, switches, routers stored? Are all wall ports active?
Controlled access Refer back to your policy Who, What, When, and How Least privilege (best practice) Disable or delete accounts no longer in use Passwords Change them routinely Complex passwords are best *Hotmail example* Change default passwords on devices such as wireless access points and broadband routers If possible, rename default accounts (administrator or guest)
Must haves: (Top 3 security measures) Security updates Keep your workstations, laptops, servers, network devices up to date with the latest security patches For Microsoft systems, turn on automatic updates or use WSUS it s free! http://technet.microsoft.com/en-us/windowsserver/bb332157 Antivirus Symantec, Trend Micro, McAfee are all acceptable products Updates are crucial here too Firewall Not having a firewall is like leaving all the doors to your house wide open Juniper, Cisco, Checkpoint, broadband routers, etc. Doesn t need to be complicated just close the doors!
Additional considerations: Device Authentication Control which laptops, workstations, smart phones, tablets, etc. that are able to access systems remotely Uses certificates installed on the device to ensure the device is approved and not a rouge device
Again, refer to your security policy You now know: Who should be accessing your IT systems What information they should be accessing When they should be accessing the systems How they should be accessing the systems Now, track and record it
Must haves: Logging Most, if not all, network devices and servers have the capability Inventory of people accessing critical data Once again referring back to your policy who Additional considerations: Intrusion Detection and Prevention (IDS/IPS) Cisco, Snort (Free)
Goal: identify weaknesses you are not aware of Must haves: Internal vulnerability scanning Many tools available (GFI Languard) http://landlanss.gfi.com/open-networksm/?adv=952&loc=65&gclid=clhn_ce_-kocfsueqaod4fniga Routine schedule once each month, quarter, year? *Whatever makes sense for your business Recommended at twice each year Again, many IT consulting firms can do this for you
Additional considerations: 3 rd party vulnerability scanning QualysGuard reputable service, accredited by many industries Can do both internal and external scans Great selling point to your clients that you have been independently tested
Keeping up with the hackers What did you learn from your vulnerability scans? Create your action item list from these reports Prioritize your list, your scans will tell you the severity of the identified risks And
Now repeat the process Adjust your policy if necessary (Corp. Policy) Implement your action items (Secure) Monitor your systems and verify your action items are implemented properly (Monitor) Test again (Test) And once again implement changes necessary to correct any deficiencies (Improve) This is a continual yet manageable process
Questions?