Loading in 2 Seconds...
Loading in 2 Seconds...
BCS - Nottingham Offshoring-and-Security (In Reverse Order). John Walker FBCS CITP CISM MICAF PG.Cert British Computer Society Registered Security Specialist Head of Operational Security firstname.lastname@example.org. Genesis. 1993 - Polymorphism arrives as a real threat.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
John WalkerFBCS CITP CISM MICAF PG.Cert
British Computer Society Registered Security Specialist
Head of Operational Security
1993 - Polymorphism arrives as a real
Brain – from Pakistan
Jerusalem – Israel
Cascade – West Germany
Vienna – Austria
Ping-Pong - Italy
1995 - Is Windows NT susceptible to
virus infections? (VB March 1995 ISSN
First virus discovered in the Russia = DOS 6.2 - Vienna
Virus Developers Quarterly – raw source code
I am assuming the other 75% were aware that they were clean?
How many holes do you think software could have?
Consider Windows XP:
40 Million: Is the number of lines of code in Windows XP (60M? in SP2).
5 per 1,000: With high quality coding, you still have an estimated 5 bugs in every thousand lines of a program.
200: The number of security holes in WinXP (if only 1 out of
1,000) are remotely exploitable. Might be -much- higher...
The same consideration may be applied to other
Applications – just look at the history of exploits!
Loads of SPAM:
Healthcare, Begging Letters
Easy ways to make money
The usual stuff (images)
Low cost, ripped off software
Loads of spIM: Possibly the first IM based attack to be mounted
was against AOL, using the AOL IM. This scam has the subject
Confirm AOL billing info and attempts to convince the user to reveal
their AOL username and password. The communication goes on to
advise that if the user does not follow instructions,
payments to AOL can't be processed.
In the next generation of security threats, it is highly likely that VoIP will be/is a target!
Proof of concepts do exist (USA) that allow hackers to manipulate
communications by inserting their ‘own’ choice of words into live
Conversations – consider the ramifications.
Bottom line – as with any other Network Based System, VoIP needs to
be secured – don’t just think of it as a new telephone system
See: www.facetime.com for information on VoIP Security
Based on trends to date, expected to rise by a factor of10
Project managed attackers - Spyware can act as triggers (Crimeware).
This malware runs, it may start collecting data when a user visits a
selected site. These emails try to drive users to the real site to log in,
which will activate the spyware.
W32/Rbot_GR (Peeping Tom) – locates, and uses Web Cams
To look into your personal space.
The file C:\xxx Settings\xxx\Local
Settings \TemporaryInternet Files
\Content.IE5 \xxx\xxx is infected
with Mr-Nasty.gen - Known Virus,
Detected with Scan Engine 4.4.00
DAT version 4.0.4422. The file was
PC0xxxxxxxx IP xx.xxx.xxx.xxx
user xxxx running VirusScan
4.5.1 SP1 OAS)
Every picture tells a Storey
Every picture tells a Storey – AND SOME MAY BE NOT
The Mobilisation of the workforce dictates that what has been seen thus far as the preserve of Perimeter Security to underpin and deter attacks has now had a quantum shift, encompassing such areas as:
WiFi (802.11b/g, Bluetooth, Smart Phones and PDA’s,
Outsourcing – how will it affect the Perimeter of Security, or what has
been thus far accepted as the organisational ‘Area of Control’
(will it push it or pull it?
Gramm-Leach-Billy Act of 1999 (GLBE)
Securities and Exchange Commission (SEC) Compliance issues (17a-4)
USA Patriot Act
FDA’s Electronic Recordings/Signatures (ERES-21CFR11)
Mental Hygiene Law Sec. 33.13
Computer Security Act
And . . . . . . . . . . . . . . . . . . . . . . . . . .There are MORE
Probably one of the most important aspects (the FIRST) of technical security is that of how systems are built:
Remember – out of the box, does not necessarily support security
Have an agreed Baseline Build for all systems, including Workstation,
Mobiles (Laptops etc), Servers, and any other device that serves a
Production environment – you also need to consider Phones, and PDA’s
If you outsource, or use Third Party Services Providers –
don’t forget this may also apply to them
This is something old, but still gets missed
High importance should be placed against obtaining early
reports of Vulnerability Alerts – if not in place, how do you know
what you are at risk from
Don’t forget this is equally important for any systems outside the
Perimeter of the Organisation – home users, and say Outsourced
Systems/applications can also support insecurities and vulnerabilities
- so make sure you encompass them in the plan
Out of sight/site, should not be out mind
- Yet it still seems to take a back seatPatch and Fix – or Die
Closely following Alerting –Patch and Fix
Lots of stuff to consider here – Most important aspect is to stay connection to those security alerts
It is not always necessary to spend high numbers to achieve
Operational Security - consider:
What do you own - already
What can you leverage from the O/S and applications
LOW cost, HIGH Functionality
However, if you have a financial pot with no bottom
please feel free to discount these ideas
1. SNORT:Good IDS, very effective (use the language)
2. Office 2003: Document Security
3. AP Logging:Review them on a regular basis
4. Vulnerability Alerts:There are many good free ones (take a look at OSVB)
5. Use Free Encryption:Turn on NTFS for NT, 2000, and XP – better than nothing (EFS for 2000 >>)
6. WiFi - WEP: Not great, but better than nothing
7. O/S Options: Eventtriggers (Win2k, XP, 2003)
Anti-SPAM is no longer to be considered a nice to have, but is
A MUST. MS have produced a very functional tool.
Here in its Beta Release
Sawmill – LOW Cost, HIGH Functionality
It is essential that in any project, or application lifecycle, the element
of security is both acknowledged and addressed (for the ex
Government People in the audience – remember Memorandum No10
For HIGH assurance this should be done:
When conducting testing, for best effect and value, use a known methodology such as -OWASP
Governance should help the business, not grind it to a holt
MSc in IT Security – Fred Piper – Royal Holloway
IISP – Institute of Information Security Professionals – Jan 2006
CISM – Certified Information Security Manager
CISSP – Certified Information Security Professional
BCS Membership – Professional Development (is key)
Read, read, and . . . Read – it is a fast moving area – to keep up
Drivers are high – it is now a Main Board topic, and key to
Personal opinion – I feel it will become a Main Board position
The area of expertise will grow – needs technical underpinning
I believe that it is a science (a mix of physiology and technology)
It is a challenge – can be pressured – has an element of
‘the book stops here’ – but is also rewarding and enjoyable
One quality required is, ‘decision makers are key’
Risk Assessments – post not pre
Contracts and SLA
Compliance and Governance
Mapping Process and Procedure
Are they IN or OUT?
Outsourcing is now on the up, and many organisation have entered
into contracts - but the security model needs to be Considered!