is your company security aware
Download
Skip this Video
Download Presentation
Is Your Company Security Aware?

Loading in 2 Seconds...

play fullscreen
1 / 17

Is Your Company Security Aware? - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Is Your Company Security Aware?. Presented By: Brian Picard GSEC. Personal Background. Progressive Insurance – Security Architect 10 Long Years ( 6 years in Identity/Security ) GIAC – GSEC Certified

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Is Your Company Security Aware?' - hosea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
is your company security aware

Is Your Company Security Aware?

Presented By:

Brian Picard GSEC

personal background
Personal Background
  • Progressive Insurance – Security Architect
    • 10 Long Years ( 6 years in Identity/Security )
    • GIAC – GSEC Certified
    • Wide range of background experience ( ie Server Administration, Networking, Development, Identity, and Security Architecture )
  • Private Consulting – Anything Technical
    • 9 Year ( 4 years in Identity/Security )
    • Network Development
    • Server Implementations
    • Custom Development
    • Security Consultations and Instruction
overview
Overview
  • Security Awareness Program
  • Security Effort Statements
  • Sample Security Awareness Efforts
    • Social Engineering
    • Public Information Gathering
    • Development Challenges
    • Physical Security Awareness
    • Adjacent Risks
    • Other Samples
security awareness program
Security Awareness Program

WARNING

This should not be done as a group activity

WARNING

  • Definition: This describes where your company’s security awareness is focused and a rough outline of the scope.
  • Efforts: This describes what efforts will be made to meet your goals.
  • Timeframe: This will define how long your company will follow this initiative before re-evaluating it’s position.
security effort statement
Security Effort Statement

WARNING

These need to be done as a group activity

WARNING

  • Objective: Goals, Scope (In AND Out), Gaps
  • TargetAudience: Intended Targets, Depth Of Technical Knowledge
  • Actions: Mediums of Delivery, Durations, Required/Optional
  • AdditionalReferences: Other Sources Of Information
  • Measurements: Verification On Success
sample security efforts social engineering
Sample Security Efforts(Social Engineering)
  • Objective: To inform employees about Social Engineering and to give them the ability to professionally deal with a suspected Social Engineer. The scope will include social engineering applied to phones, emails, and physical entry to the buildings.
  • Target Audience: All Company Employees
  • Actions: Company-wide web cast about Social Engineering. Including a definition, common real-world examples, and ways to deal with suspected social engineers.
sample security efforts social engineering cont
Sample Security Efforts(Social Engineering)<Cont>
  • Additional Resources:

http://en.wikipedia.org/wiki/Pretexting

http://www.securityfocus.com/infocus/1527

http://www.sans.org/reading_room/whitepapers/engineering

  • Measurements:
  • A company-wide web test administered 6 months after the training is completed.
  • Random Social Engineering attempts done from outside consultants.
sample security efforts public information gathering
Sample Security Efforts(Public Information Gathering)
  • Objective: To inform employees about Public Information Gathering. The scope includes web and verbal content with individuals inside and outside the company.
  • Target Audience: The target for this security effort is Web Content Analysts and Point Of Sale employees.
  • Actions:
    • A web based find the information internal game. This game will include potentially critical company information hidden on a typical looking company web site.
    • An internet scavanger hunt for public information on companies with explanations on how this information could be useful to an outsider.
sample security efforts public information gathering cont
Sample Security Efforts(Public Information Gathering)<cont>
  • Additional Information:
    • http://businessethics.suite101.com/article.cfm/corporate_intelligence_gathering
  • Measurements:
  • Post assessment of Information Gathering game.
  • Internet Scavenger Hunt to gather required pieces of information about companies based off their corporate web site
sample security efforts development challenges
Sample Security Efforts(Development Challenges)
  • Objective: To inform developers of the potential problems with unsafe coding practices. The scope of this will include Cross-site scripting (XSS), SQL Injections, and Improper Input Validation.
  • Target Audience: Web developers that work on an external facing application.
  • Actions: This effort will be comprised of a progressive set of challenges regarding the above mentioned topics. After each challenge some hints will be given to help solve the next round of problems.
sample security efforts development challenges cont
Sample Security Efforts(Development Challenges)<cont>
  • Additional Resources:
    • http://en.wikipedia.org/wiki/Cross-site_scripting
    • http://www.cgisecurity.com/articles/xss-faq.shtml
    • http://en.wikipedia.org/wiki/SQL_injection
    • http://www.unixwiz.net/techtips/sql-injection.html
  • Measurements:
  • The completion of the required challenges within a designated time frame.
  • The completion of a follow-up set of challenges, different then the first, six months after completion of the previous round.
  • Bug tracking for reported SQL Injection, XSS, and Input Validation Issues.
sample security efforts physical security awareness
Sample Security Efforts(Physical Security Awareness)
  • Objective: To inform the employees about potential problems with lacking physical security. The scope for this shall include only entering the building.
  • Target Audience: All employees with badges.
  • Actions:
    • An online bulletin explaining the problems and statistics around un-authorized individuals.
    • Movable Plaques mounted around badging stations explaining that every person should swipe their own badge and those attempting to tailgate should be questioned.
sample security efforts physical security awareness cont
Sample Security Efforts(Physical Security Awareness)<cont>
    • Rotation of entry staff to encourage the requirement of swiping and diminish the likelihood of known employees being allowed to enter.
    • Colorful Posters or Cutouts moved around the company encouraging employees to swipe for their own entry and question others attempting to enter on their swipe.
  • Measurements:
  • Trending on the number of un-authorized people in the buildings.
  • Trending on the number of card swipes per day.
sample security efforts adjacent risks
Sample Security Efforts(Adjacent Risks)
  • Objective: To inform all company employees that work on external data transactions with other companies about Extended Security threats.
  • Target Audience: Any employee that work on external data transactions.
  • Actions: A Web Based Training (WBT) that explains the potential problems and history of known problems around network extensions.
  • Measurements: A post assessment of the content covered in the WBT.
sample security efforts other samples
Sample Security Efforts(Other Samples)
  • Security Informational Sessions
  • Security Posters
  • Security Bulletins
  • Data Classification Awareness
  • Phishing
  • Source Code Management
final thoughts
Final Thoughts
  • Publish Your Security Awareness Statement
  • Trust but Verify Completion of Efforts
ad