1 / 25

Enterprise IT Security

Enterprise IT Security. What you need to know Presented By Vipul Shah Director, PC Solutions Limited. Objective. Raise awareness that IT Security is an important business issue, deserves the attention of the organisational leadership AND

adora
Download Presentation

Enterprise IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise IT Security What you need to know Presented By Vipul Shah Director, PC Solutions Limited

  2. Objective Raise awareness that IT Security is • an important business issue, • deserves the attention of the organisational leadership AND • must be part of an overall risk management strategy for the organisation

  3. If you are a leader within an organisation Ask yourself • Has computer security received my attention? • Do I assist my IT team by providing them with the tools they need to do their jobs? • Do I support my IT team by abiding by the policies that have been set? • Do we have good company wide IT policies in place? Probably not Probably NO

  4. So does Anyone care about Security? • When we buy a new car we • first install the state of the art alarm system • then we install tracker • then we insure the car so that if 1 and 2 fail we can still buy another and • then we employ security guards – at home, at the office and even on the streets • We always worry about loss or damage to our assets. We crave security !

  5. Where are your company’s assets? • Buildings • Vehicles • Fixtures and fittings • Computer and office equipment IS That it? • Information and Data held on computers and servers throughout the organisation is also a business asset

  6. What is the information worth? • If your competitor got the names and details of all your customers would you have a problem? • If a fire destroyed all your buildings and your records what would you do? • If the day before a major tender your hard drive crashed– what would you do?

  7. What is the information worth? • If your competitor got the names and details of all your customers would you have a problem? • If a fire destroyed all your buildings and your records what would you do? • If the day before a major tender your hard drive crashed– what would you do? If you are in the service industry then your information is your PRIMARY asset. Impossible to put a value on how much it is really worth.

  8. When thinking of your corporate assets INCLUDE your IT systems and the data that resides on them. Step one to an effective security system Know what you want to protect

  9. Physical risks Theft Damage Disaster Catastrophe Digital Risks Viruses Denial of Service Unauthorised access Abuse of the systems Malicious code What are the risks to your IT assets ?

  10. Physical Risks • Walls/ fences • Locks • Security guards • Fire detection systems • Fire proof safes • Off-site storage of data/ backups

  11. Digital Risks • Viruses • Denial of Service • Unauthorised access • Abuse of the systems • Malicious code

  12. Viruses • Well Known Risk • How many have AV software? • How many paid for AV software? • How do you manage the updates/ upgrades process? • Do you have a policy? • Do you have someone responsible/accountable? • Are you protecting all the entry points?

  13. Denial of Service • Attack in which the organisation is denied access to a specific service • Known to have affected Global Brands such as Yahoo and ebay • Often carried out by exploiting known weaknesses in the OS • When a DoS attack happens Would you • know you were being subjected to a DoS attack? • How would you react? • Is there a plan in place to deal with the event?

  14. Unauthorised Access • unauthorised use of your corporate systems • Theft, unauthorised changes, deletion, and unauthorised distribution • Issue of Data Security and Integrity • Many ways these are carried out • user error, ex-employees whose passwords are still active, Hackers etc. • Impact • From Minor embarassment to multi-million $$$ losses affecting many people

  15. Unauthorised access 2 • What do you do to limit unauthorised access? • Have you got effective password management? • Do users know never to give their passwords out to anyone? • How well does your IDS work? • Have you investigated encryption? • You have a financial audit annually – when was the last time you had a IT security audit?

  16. Abuse of the Systems • Generally internal to the organisation • Physical world – my guys having a long break • Virtual world – Use of IT resources for personal use (lara croft manuals) • SPAM • Unsolicited email sent to people without their consent • Mail relay • Use of your bandwidth to send mails (SPAM)

  17. Abuse of the Systems (2) • Why is this an issue? • TIME • Cost of SPAM to a 100 user organisation will exceed US $5,000 per year. • Use of resources paid for by the organisation • Loss of business • Do you have an appropriate use policy? • For example no personal use of email during the working day? No XXX material!Company policy on not sending out SPAM mail?

  18. Malicious Code • Software designed to cause losses/ damage? • Some written by employees (fraud/ revenge) • More publicity – Worms and Trojans • Blaster Worm – takes advantage of error in s/w code to spread to many computers and then launch a coordinated attack on MS Windows update site • Nachi worm – designed to clean the Blaster worm then delete itself on 1/1/2004 • Klez – around since April but still prevalent and exploits weakness in IE 5 and 5.5 without SP. Mails itself to people on the mailing list

  19. Malicious Code (2) How do you guard? • Employee designed S/W – Difficult but needs an effective “authorisation” procedure • Worms – make sure AV is always uptodate and ensure all latest patches are installed • Massive task given the number of patches being released • Are you protecting all the different entry points?

  20. Digital Risks • Viruses • Denial of Service • Unauthorised access • Abuse of the systems • Malicious code

  21. Some other issues • IT Staff are probably stretched “fighting fires” • Range of skills unavailable – impossible to be good at everything • Intrusion Detection Systems generating so many alerts impossible to tell actual threats from “background noise” • Lack of management support – I don’t want to know your problems just “fix it”

  22. Recap Raise awareness that IT Security is • an important business issue, • deserves the attention of the organisational leadership AND • must be part of an overall risk management strategy for the organisation

  23. The risks are known Your choice to act or ignore

  24. ACT • Identify your IT assets and determine their value • Identify the risks and determine the likelihood of the risk • Formulate a policy to manage the risks • Train the users in implementing the policy • Use a firm that can help you design an effective risk management strategy

  25. Questions? • Contact Vipul Shah Tel: 2133040 or 0741 784 786 Email: vipul@pcsolutions.co.tz Mtendeni Street, DSM

More Related