Frontline Enterprise Security

Presented by:
Michael Weaver, CISSP, QSA
Sword & Shield Enterprise Security
October 6, 2015

Who am I?
Senior Enterprise Consultant at Sword &
Shield
Started hacking around the age of 12 on
a Windows 3.11 machine using a 14.4k
modem
Started a professional IT career doing
systems and network administration in
2002
2

What does a S&S Enterprise

Consultant do?

Audits and assessments on compliance standards, technology

configuration, and information security best practices
Advisement on business decisions related to information security
Supplement information security staff to assist with projects,
technology, training, etc.
Draft, review, and revise policies
Training on technologies, compliance, and general security concepts
3

Audits

What Kind of Audits?

FISMA, GLBA, HIPAA, ISO 27001 and SOX gap analysis
Gap Analysis How close are you to adhering to the
compliance framework?
PCI compliance
Compliance The governing authority recognizes that
you are meeting or exceeding the requirement of the
standard.
Risk Assessments based on NIST 800-30
Assessment Applying my knowledge and expertise
to evaluate your organization according to NIST and
other standards. How well is your organization
protected from actual threats and how likely are they?
5

Evidence
Policies and Procedures to show that the organization has set
expectations and communicated them to the appropriate parties.
Standard sets of supporting documents, such as diagrams, logs,
screen shots, configuration files, etc., are requested in every
engagement. However, I dig a lot deeper when you make
extraordinary claims or hide something.
Interviews with people who setup the controls protecting the
information.
Observations of the work areas and the secure areas where the
information is stored, processed, or transmitted.
Verification through action.
6

Typical Compliance and Security

Issues
Policies and procedures
Are they kept up-to-date?
Are they known throughout the organization?
Are they followed?

Giving people higher privileges than they need.

Local Admin rights STOP THIS!

Not reviewing, collecting, keeping, alerting, and responding to security events.

Not Staying current on patches or having a well developed plan to patch everything in your
environment.
Training
Service Accounts. Lock them down. Yes, you need to change the password, but possibly not
as often as normal user accounts.
Letting your data walk out the door and letting people bring anything in.
Having exceptions to the rules, but only if they promise to be safe.
7

Getting to the Information without

Hacking
Physical methods - social engineering, tailgating,
phishing, just taking the information, unlocked
computers in public area, or taking pictures or
videos (office windows).
Using passwords that should have been changed
or accounts that should have been disabled.
Having exposed information. BYOD, missing or
incorrectly configured security controls (VLANs),
removable media, Outlook Anywhere, and using
cloud storage or services.
Sharing passwords or letting other people use
your computer or device.
8

How to Resolve the Issues

Technology Solutions

Basic Firewall
Web Application Firewall
Multifactor
Biometric
Web Filter
MSSP/SIEM
DDoS Mitigation
Mobile Device
Management
Password Management
Update Management
IDS/IPS

Backup Solutions
Email Archiving
DR Sites
Whitelisting
Enterprise Wireless
Data Loss Prevention
Vulnerability Scanning
Secure File Transfer
NAC
Inventory Managemen
FIM
10

Steps to Success
1. Senior leadership within the organization must
understand and support security decisions or they will fail.
2. Everyone in the organization must know their
responsibilities and ownership in the security program.
3. You need visibility and knowledge of how information
flows through the business.
4. Identify and address all risks to your information. All
identified risks will be accepted, avoided, mitigated, or
transferred.
5. Develop a security plan and set goals to obtain a strong
security posture.
6. Get help when you need it. Training, 3 rd parties, and
additional staff can provide additional knowledge,
expertise, and resources.
11

Questions
?

12

Thank you!

13