Security Risk Mitigation Bob Wright Director

1
Security Risk Mitigation Bob WrightDirector
Enterprise Information SecurityBellSouth
2
Why Have Security?

• Reduce Business Risks
• Financial
• Strategic
• Legal
• Reduce Security Risks to Critical National
  Infrastructures

3
Balancing Security Decisions
Functionality Ease of Use Cost
Security Level
4
What Are The Security Risks

• Attacks on e-Business sites
• Attacks on internal IT community sites
• Virus attacks
• Attacks on Public Network Infrastructure
• Internet abuse
• Legal implications - sex, gambling, etc.
• Productivity implications - online stock trading,
  etc.
• Compromise of Company Proprietary Information or
  Customer Information
• Accidental compromise
• Intentional compromise
• Compromise using stolen privileges

5
Where Do The Risks Originate

• Unsophisticated hackers (Script Kiddies)
• Malicious, loosely organized hackers
• Employees
• Contractors, Sourcing Partners, Vendors,
  Customers, Competitors
• Terrorists
• Cyber Warfare

6
Mitigation Strategy

• Policy, Standards, Awareness
• Layered Defenses
• Focus on critical systems
• Leverage Partners and Prime Vendors
• Proactive Security Audit Scans
• Corporate and External Audits
• Create Security Processes
• Contracting
• Variances
• Application and Infrastructure development
• Industry Partnerships

7
Layered Security Defenses
Network Scan for vulnerabilities
PC
Monitor for intrusions and virus
Monitor for intrusions and virus
Public Internet
Corporate Network
Data
Access Controls
Access Controls
Host based - Access - Vulnerability - Real time

8
Summary

• Security is easy ONLY if you have no customers,
  no vendors, and no employees
• Otherwise, security requires
• Senior Management attention
• Strategies, resources, and processes
• Focus
• There are no silver bullets, but there are many
  mitigation tools available