Fortrex Technologies is going to tell us what the major information
security concerns are now, and perhaps a bit about how ameliorate
them. This will be a vendor-neutral talk.

The “Page of Pain”

• Spam
• Peer-to-peer
• Patches
• Malicious code and automated attacks
• Wireless deployments
• Remote access
• Regulations (GLBA, HIPAA, etc.)
• Audits (FFIEC, Visa/Mastercard & SOX, etc.)
• Shrinking budgets
• Product confusion
• Standards (ISO, SAS70, etc.)
• Vendors and service providers

That’s a dozen, but we’re going to see the top 10 solutions.

Top 10 Solutions

Content Management

What is it? Screening inbound and outbound web and mail content.
Why do it? To block spam, block information leakage, reduce legal
liability, reduce congestion. How to do it? Set a policy, then
put products at the gateway. Examples are SurfControl, WebSense,
SpamAssassin.

Policy Review and Refresh

Review all security related policies to make sure they are current,
so you’ll stay in compliance with needs. Have an annual review,
keep current about regulatory changes, and current threats.

Patch Management

(Aside: speaker jokes that Microsoft will introduct an MCPM program;
Microsoft Certified Patch Manager.) Need procedures for identifying
needed patches and applying them. This is important because
most successful attacks come through vulnerabilities that
already have fixes available. How? Create a program, monitor
announcements and apply in a timely way. You need frequent
vulnerability scans; he says weekly. He mentions Nessus. The Expo
floor also has lots of tools in this area.

Device Hardening

Make sure that all hosts and other devices are only running necessary
services. Open ports that aren’t intentionally being used are a
frequent attack point. How? Document what you’ve got running, and develop
hardening standards for each type of system. Test, implement, and
maintain the standards. Realize that systems will sometimes be
deployed in a rush due to business pressures; make sure the security
people check them after they’re out there if they weren’t able to
check them ahead of time.

Incident Response

Have guidelines on handling security incidents. Example given was
a bank that had an IT compromise. Press found out, and was there.
A sysadmin took a smoking break, and started talking to the reporters.
Not good for the bank; because they had no existing guidelines on
what to do. Establish a team, document their procedures, and
exercise twice a year. Example exercise: announce symptoms (such
as a CPU utilization spike) to a team, have them simulate a response.
Fortrex has templates for this available.

Disaster Recovery & Business Continuity

This is an IT “bible” for responding to disasters to meet the
SLA required by the business continuity plan. Although companies
often don’t have a business continuity plan. Conduct a business
impact analysis (ask what’s important, and how soon), define what’s
critical, and develop recovery strategies. Develop procedures, and
exercise one each year. Update frequently.

Security Technology Effectiveness

Assess the effectiveness of your deployed security tools, to be
sure you’re getting a good return on that investment. Review your
security architecture regularly, track remote access, review your
logs, and produce regular reports. Measure how much effort you
spend dealing with security issues to develop a scorecard for
measuring effectiveness.

Application Security

These are standards for ensuring security is built into applications,
instead of going to already built applications and trying to add
security after the fact. You need to make developers aware, and
have security analysis, design, and testing an explicit part of
your development lifecycle.

Education and Training

Make end users aware of the risks inherent in the technology they
utilize. This is the cheapest risk-reducing measure. Have new
hire orientations, put up posters, have a newsletter and web site.
Create an annual security awareness day. But this can be resource
intensive.

Vendor Security

Make sure your vendors treat your sensitive information as securely
as you do. There are often regulatory requirements for this, and it
shows your customers you value their sensitive information. You need
to develop standards, and track remediation efforts.

Score yourself on each point on a 1-5 point scale, and average your
scores. Apparently, the average is 2.9. (Note that this is a C-
on an A, B, C, D, F scale.)

Future Top 10 Wannabees

• Enterprise security management
• Threat and vulnerability management
• Reporting security metrics (scorecards)
• Formalize security program (and make it a corporate concernt,
  not just IT)

A very good talk, and finally the kind of thing I was expecting at
this meeting.