Is your company security aware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Is Your Company Security Aware? PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Is Your Company Security Aware?. Presented By: Brian Picard GSEC. Personal Background. Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified

Download Presentation

Is Your Company Security Aware?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Is Your Company Security Aware?

Presented By:

Brian Picard GSEC


Personal Background

  • Progressive Insurance – Security Architect

    • 10 Long Years ( 6 years in Identity/Security )

    • GIAC – GSEC Certified

    • Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture )

  • Private Consulting – Anything Technical

    • 9 Year ( 4 years in Identity/Security )

    • Network Development

    • Server Implementations

    • Custom Development

    • Security Consultations and Instruction


Overview

  • Security Awareness Program

  • Security Effort Statements

  • Sample Security Awareness Efforts

    • Social Engineering

    • Public Information Gathering

    • Development Challenges

    • Physical Security Awareness

    • Adjacent Risks

    • Other Samples


Security Awareness Program

WARNING

This should not be done as a group activity

WARNING

  • Definition: This describes where your company’s security awareness is focused and a rough outline of the scope.

  • Efforts: This describes what efforts will be made to meet your goals.

  • Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.


Security Effort Statement

WARNING

These need to be done as a group activity

WARNING

  • Objective: Goals, Scope (In AND Out), Gaps

  • TargetAudience: Intended Targets, Depth Of Technical Knowledge

  • Actions: Mediums of Delivery, Durations, Required/Optional

  • AdditionalReferences: Other Sources Of Information

  • Measurements: Verification On Success


Sample Security Efforts(Social Engineering)

  • Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings.

  • Target Audience: All Company Employees

  • Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.


Sample Security Efforts(Social Engineering)<Cont>

  • Additional Resources:

    http://en.wikipedia.org/wiki/Pretexting

    http://www.securityfocus.com/infocus/1527

    http://www.sans.org/reading_room/whitepapers/engineering

  • Measurements:

  • A company-wide web test administered 6 months after the training is completed.

  • Random Social Engineering attempts done from outside consultants.


Sample Security Efforts(Public Information Gathering)

  • Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company.

  • Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees.

  • Actions:

    • A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site.

    • An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.


Sample Security Efforts(Public Information Gathering)<cont>

  • Additional Information:

    • http://businessethics.suite101.com/article.cfm/corporate_intelligence_gathering

  • Measurements:

  • Post assessment of Information Gathering game.

  • Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site


Sample Security Efforts(Development Challenges)

  • Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation.

  • Target Audience: Web developers that work on an external facing application.

  • Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.


Sample Security Efforts(Development Challenges)<cont>

  • Additional Resources:

    • http://en.wikipedia.org/wiki/Cross-site_scripting

    • http://www.cgisecurity.com/articles/xss-faq.shtml

    • http://en.wikipedia.org/wiki/SQL_injection

    • http://www.unixwiz.net/techtips/sql-injection.html

  • Measurements:

  • The completion of the required challenges within a designated time frame.

  • The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round.

  • Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.


Sample Security Efforts(Physical Security Awareness)

  • Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building.

  • Target Audience: All employees with badges.

  • Actions:

    • An online bulletin explaining the problems and statistics around un-authorized individuals.

    • Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.


Sample Security Efforts(Physical Security Awareness)<cont>

  • Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter.

  • Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe.

  • Measurements:

  • Trending on the number of un-authorized people in the buildings.

  • Trending on the number of card swipes per day.


  • Sample Security Efforts(Adjacent Risks)

    • Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats.

    • Target Audience: Any employee that work on external data transactions.

    • Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions.

    • Measurements: A post assessment of the content covered in the WBT.


    Sample Security Efforts(Other Samples)

    • Security Informational Sessions

    • Security Posters

    • Security Bulletins

    • Data Classification Awareness

    • Phishing

    • Source Code Management


    Final Thoughts

    • Publish Your Security Awareness Statement

    • Trust but Verify Completion of Efforts


    Recap And Personal Contact Information

    • Recap

    • Contact Info:

      • [email protected]


  • Login