Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

Similar documents
1) Are employees required to sign an Acceptable Use Policy (AUP)?

Changing face of endpoint security

K12 Cybersecurity Roadmap

Network Performance, Security and Reliability Assessment

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Securing Industrial Control Systems

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Data Protection in Practice

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Securing the SMB Cloud Generation

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Cyber security tips and self-assessment for business

Insurance Industry - PCI DSS

Security Architecture

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity Panel: Cutting through Cybersecurity Hype with Practical Tips to Protect your Bank

Cyber Security and Project Planning: How to Bake It In

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

How Cyber-Criminals Steal and Profit from your Data

Chapter 5: Vulnerability Analysis

Payment Card Industry (PCI) Data Security Standard

Putting Trust Into The Network Securing Your Network Through Trusted Access Control

A QUICK PRIMER ON PCI DSS VERSION 3.0

NEN The Education Network

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Maher Duessel Not for Profit Training July Agenda

Defensible and Beyond

How NOT To Get Hacked

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

Training and Certifying Security Testers Beyond Penetration Testing

Network Security in the Patched Environment. Guy Helmer, Ph.D. Palisade Systems, Inc.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Back to Basics: Basic CIS Controls

Securing CS-MARS C H A P T E R

System Structure. Steven M. Bellovin December 14,

What makes a good KRI? Using FAIR to discover meaningful metrics

Information Security Policy

Process System Security. Process System Security

Restech. User Security AVOIDING LOSS GAINING CONFIDENCE IN THE FACE OF TODAY S THREATS

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

With Erik Nachbahr, President of Helion Technologies & Jonathan Wilke, CPA of Dixon Hughes Goodman LLP.

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

10 Hidden IT Risks That Might Threaten Your Business

Web Cash Fraud Prevention Best Practices

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

With Erik Nachbahr, President of Helion Technologies & Jonathan Wilke, CPA of Dixon Hughes Goodman LLP.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Standard: Vulnerability Management & Standard

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

Secure Design Guidelines. John Slankas CSC 515

Altius IT Policy Collection Compliance and Standards Matrix

5 IT security hot topics How safe are you?

Children s Health System. Remote User Policy

Privacy and Security in the Age of Meaningful Use

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

ANATOMY OF AN ATTACK!

Advanced Security Tester Course Outline

Effective Strategies for Managing Cybersecurity Risks

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

IT Security Update on Practical Risk Mitigation Strategies

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

YOUR QUALITY PARTNER FOR SOFTWARE SOLUTIONS TMA SOLUTIONS

New! Checklist for HIPAA & HITECH Compliance Pabrai

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Implementing. Security Technologies. NAP and NAC. The Complete Guide to Network Access Control. Daniel V. Hoffman. WILEY Wiley Publishing, Inc.

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Session ID: CISO-W22 Session Classification: General Interest

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Ingram Micro Cyber Security Portfolio

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Juniper Vendor Security Requirements

Information Technology Procedure IT 3.4 IT Configuration Management

Choosing the Right Security Assessment

Altius IT Policy Collection Compliance and Standards Matrix

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Practical SCADA Cyber Security Lifecycle Steps

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Keys to a more secure data environment

Watson Developer Cloud Security Overview

Agenda. BYOD, Texting & Social Media How to Keep BYODFrom Becoming OMG! Introduction BYOD Defined Trends By the Numbers

Cyber Security. Building and assuring defence in depth

SECURITY. The changing Face and Focus. UPDATED - May Sr. Advisor/Partner at PostMark 21 years in corporate IT P&G and RJ Reynolds

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Information Security Controls Policy

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Security Risk Management and Identity Theft

How Network Security Services Work to Protect Your Business

Transcription:

Is Your Information Safe? Presented by: Jake Gibson IT Director, Eurofins

A little about your presenter: Director of Information Technology for Eurofins 20 years Information Technology experience Previously provided security consultation and audit services for banks and credit unions Appointed to the Architecture Review Board and Security Task Force for the Centers for Medicare and Medicaid, a division of Health and Human Services

Many attacks recently what does that mean? Increased level of publicity = increased notoriety of those performing the attacks For every hacking attempt reported, many more go unreported Even more alarming, many attacks go unnoticed!

Why do we need IT Security, it seems very expensive? First and foremost protect your company and your clients Regulatory requirements

How do I know what my risks are? If you don t know ask for help! Many companies specialize in IT security Biggest areas of exposure are your ingress points start here, just like locking the doors to your home After that, consult the security wheel

Courtesy of Cisco

Corporate Policy Secure Monitor and Respond Test Manage and Improve

Often overlooked Key to success of all other steps Write it down! NIST (National Institute of Standards and Technology) Excellent resource for general guidelines and common practices http://csrc.nist.gov/publications/pubssps.html Don t overlook training and awareness (SP 800-50 of the NIST guidelines)

Who, What, When, and How framework for a policy Who: Determine who has access to your IT systems In addition to employees, this includes vendors, business partners, and clients What: Identify the systems accessible by the list of who Internet sites, intranet, files, databases, email, etc. When: Not all systems need to be accessible all hours or days Perhaps restricting access to only working hours (not used as frequently as people have become more mobile How: Internal, external, remote Are clients accessing systems via websites? How are your employees accessing IT systems?

Document your policies once you have answered the questions to Who, What, When, and How Should be accessible by all employees and auditors Be careful about writing policies and not adhering to them Communicate your policies to your employees Some of the policies will be directly related to, and provide a framework for, an acceptable use policy for employees

Let s talk more about ingress points Internet connections Websites, or web browsing VPN Email (and webmail) Wireless Mobile devices What about physical access? USB drives Where are your servers, switches, routers stored? Are all wall ports active?

Controlled access Refer back to your policy Who, What, When, and How Least privilege (best practice) Disable or delete accounts no longer in use Passwords Change them routinely Complex passwords are best *Hotmail example* Change default passwords on devices such as wireless access points and broadband routers If possible, rename default accounts (administrator or guest)

Must haves: (Top 3 security measures) Security updates Keep your workstations, laptops, servers, network devices up to date with the latest security patches For Microsoft systems, turn on automatic updates or use WSUS it s free! http://technet.microsoft.com/en-us/windowsserver/bb332157 Antivirus Symantec, Trend Micro, McAfee are all acceptable products Updates are crucial here too Firewall Not having a firewall is like leaving all the doors to your house wide open Juniper, Cisco, Checkpoint, broadband routers, etc. Doesn t need to be complicated just close the doors!

Additional considerations: Device Authentication Control which laptops, workstations, smart phones, tablets, etc. that are able to access systems remotely Uses certificates installed on the device to ensure the device is approved and not a rouge device

Again, refer to your security policy You now know: Who should be accessing your IT systems What information they should be accessing When they should be accessing the systems How they should be accessing the systems Now, track and record it

Must haves: Logging Most, if not all, network devices and servers have the capability Inventory of people accessing critical data Once again referring back to your policy who Additional considerations: Intrusion Detection and Prevention (IDS/IPS) Cisco, Snort (Free)

Goal: identify weaknesses you are not aware of Must haves: Internal vulnerability scanning Many tools available (GFI Languard) http://landlanss.gfi.com/open-networksm/?adv=952&loc=65&gclid=clhn_ce_-kocfsueqaod4fniga Routine schedule once each month, quarter, year? *Whatever makes sense for your business Recommended at twice each year Again, many IT consulting firms can do this for you

Additional considerations: 3 rd party vulnerability scanning QualysGuard reputable service, accredited by many industries Can do both internal and external scans Great selling point to your clients that you have been independently tested

Keeping up with the hackers What did you learn from your vulnerability scans? Create your action item list from these reports Prioritize your list, your scans will tell you the severity of the identified risks And

Now repeat the process Adjust your policy if necessary (Corp. Policy) Implement your action items (Secure) Monitor your systems and verify your action items are implemented properly (Monitor) Test again (Test) And once again implement changes necessary to correct any deficiencies (Improve) This is a continual yet manageable process

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback