Is your company security aware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Is Your Company Security Aware? PowerPoint PPT Presentation


  • 63 Views
  • Uploaded on
  • Presentation posted in: General

Is Your Company Security Aware?. Presented By: Brian Picard GSEC. Personal Background. Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified

Download Presentation

Is Your Company Security Aware?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Is your company security aware

Is Your Company Security Aware?

Presented By:

Brian Picard GSEC


Personal background

Personal Background

  • Progressive Insurance – Security Architect

    • 10 Long Years ( 6 years in Identity/Security )

    • GIAC – GSEC Certified

    • Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture )

  • Private Consulting – Anything Technical

    • 9 Year ( 4 years in Identity/Security )

    • Network Development

    • Server Implementations

    • Custom Development

    • Security Consultations and Instruction


Overview

Overview

  • Security Awareness Program

  • Security Effort Statements

  • Sample Security Awareness Efforts

    • Social Engineering

    • Public Information Gathering

    • Development Challenges

    • Physical Security Awareness

    • Adjacent Risks

    • Other Samples


Security awareness program

Security Awareness Program

WARNING

This should not be done as a group activity

WARNING

  • Definition: This describes where your company’s security awareness is focused and a rough outline of the scope.

  • Efforts: This describes what efforts will be made to meet your goals.

  • Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.


Security effort statement

Security Effort Statement

WARNING

These need to be done as a group activity

WARNING

  • Objective: Goals, Scope (In AND Out), Gaps

  • TargetAudience: Intended Targets, Depth Of Technical Knowledge

  • Actions: Mediums of Delivery, Durations, Required/Optional

  • AdditionalReferences: Other Sources Of Information

  • Measurements: Verification On Success


Sample security efforts social engineering

Sample Security Efforts(Social Engineering)

  • Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings.

  • Target Audience: All Company Employees

  • Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.


Sample security efforts social engineering cont

Sample Security Efforts(Social Engineering)<Cont>

  • Additional Resources:

    http://en.wikipedia.org/wiki/Pretexting

    http://www.securityfocus.com/infocus/1527

    http://www.sans.org/reading_room/whitepapers/engineering

  • Measurements:

  • A company-wide web test administered 6 months after the training is completed.

  • Random Social Engineering attempts done from outside consultants.


Sample security efforts public information gathering

Sample Security Efforts(Public Information Gathering)

  • Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company.

  • Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees.

  • Actions:

    • A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site.

    • An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.


Sample security efforts public information gathering cont

Sample Security Efforts(Public Information Gathering)<cont>

  • Additional Information:

    • http://businessethics.suite101.com/article.cfm/corporate_intelligence_gathering

  • Measurements:

  • Post assessment of Information Gathering game.

  • Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site


Sample security efforts development challenges

Sample Security Efforts(Development Challenges)

  • Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation.

  • Target Audience: Web developers that work on an external facing application.

  • Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.


Sample security efforts development challenges cont

Sample Security Efforts(Development Challenges)<cont>

  • Additional Resources:

    • http://en.wikipedia.org/wiki/Cross-site_scripting

    • http://www.cgisecurity.com/articles/xss-faq.shtml

    • http://en.wikipedia.org/wiki/SQL_injection

    • http://www.unixwiz.net/techtips/sql-injection.html

  • Measurements:

  • The completion of the required challenges within a designated time frame.

  • The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round.

  • Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.


Sample security efforts physical security awareness

Sample Security Efforts(Physical Security Awareness)

  • Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building.

  • Target Audience: All employees with badges.

  • Actions:

    • An online bulletin explaining the problems and statistics around un-authorized individuals.

    • Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.


Sample security efforts physical security awareness cont

Sample Security Efforts(Physical Security Awareness)<cont>

  • Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter.

  • Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe.

  • Measurements:

  • Trending on the number of un-authorized people in the buildings.

  • Trending on the number of card swipes per day.


  • Sample security efforts adjacent risks

    Sample Security Efforts(Adjacent Risks)

    • Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats.

    • Target Audience: Any employee that work on external data transactions.

    • Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions.

    • Measurements: A post assessment of the content covered in the WBT.


    Sample security efforts other samples

    Sample Security Efforts(Other Samples)

    • Security Informational Sessions

    • Security Posters

    • Security Bulletins

    • Data Classification Awareness

    • Phishing

    • Source Code Management


    Final thoughts

    Final Thoughts

    • Publish Your Security Awareness Statement

    • Trust but Verify Completion of Efforts


    Recap and personal contact information

    Recap And Personal Contact Information

    • Recap

    • Contact Info:

      • [email protected]


  • Login