La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks

Publicada porLeocadia Orozco Modificado hace 10 años

Presentaciones similares

Presentación del tema: "Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks"— Transcripción de la presentación:

1

2 Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks gmarcos@columbus-business.com @jarvel

3 Una pelea desigual PRESUPUESTO DÍA A DÍA PROYECTOS HACKERS RIESGOS CONOCIDOS RIESGOS POTENCIALES POLÍTICAS CORPORATIVAS HACKERS RIESGOS DESCONOCIDOS

4 DNS Grupos Usuarios Dominios Perfiles Parches Clusters Load balancing IP address DNS Grupos Usuarios Dominios Perfiles Parches Clusters Load balancing IP address http://www.gfi.com/blog/20-tricky-sysadmin-tasks-and-how-to-approach-them/ Documentación Manejo de inventario Licenciamiento Scripts Configuraciones Change management Bases de conocimiento Email Training Documentación Manejo de inventario Licenciamiento Scripts Configuraciones Change management Bases de conocimiento Email Training Ejemplo: tareas de un administrador Se enfoca en seguridad en su tiempo libre…

5 http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911 Ejemplo: pandillas de cibercriminales 6 personas - 5 años 4.000.000 de afectados 100 países U$S 14 MM de ingresos

6 Brazilian banks were targets for distributed denial-of-service attacks, with massive assaults against HSBC Brazil, Banco da Brasil, Itau Unibanco Multiplo SA and Banco Bradesco SA. Hactivists took credit for the DDoS spree. http://features.techworld.com/security/3370489/worst-security-muddles-so-far-of-2012/ Una mirada al 2012 At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email.

7 Brazilian banks were targets for distributed denial-of-service attacks, with massive assaults against HSBC Brazil, Banco da Brasil, Itau Unibanco Multiplo SA and Banco Bradesco SA. Hactivists took credit for the DDoS spree. http://features.techworld.com/security/3370489/worst-security-muddles-so-far-of-2012/ Una mirada al 2012 At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email. BOTNET CONFIG ERROR EXTORSION HACTIVISMO DDOS PHISHING

8 Ejemplo: APT (Advanced Persistent Threat) Websense Threat Report2012 The Year in Review for Threats

9

10 La cruda realidad: En la mayoría de los casos, estamos indefensos y a merced de quien quiera realizar un mínimo esfuerzo para conseguir explotar una vulnerabilidad. Las medidas de seguridad que están implementadas en muchas organizaciones resultan insuficientes para entregar un nivel mínimo de seguridad. La cruda realidad: En la mayoría de los casos, estamos indefensos y a merced de quien quiera realizar un mínimo esfuerzo para conseguir explotar una vulnerabilidad. Las medidas de seguridad que están implementadas en muchas organizaciones resultan insuficientes para entregar un nivel mínimo de seguridad.

11 Enfoque de la gestión del riesgo: lo que dice el manual… PLAN DO ACT CHECK Políticas de seguridad Organización de la información Administración de activos Recursos humanos Seguridad física y ambiental Seguridad de las operaciones Control de acceso Desarrollo y mantenimiento de sistemas Gestión de incidentes Continuidad del negocio Cumplimiento legal y regulatorio

12 Seguridad de la información PLAN DO ACT CHECK ENFOQUE OPERATIVO …lo que pasa en realidad: Falta de información Qué tan efectivos son los controles? Seguro que estamos atacando TODOS los problemas? Dónde enfocar la solución? Falta de ejecución Expectativas vs funcionalidad. Servicio funcionando o garantizado? Riesgo acotado? Soluciones fáciles poco efectivas. Falta de dirección Hoy vs. Mañana. Cumplimiento regulatorio. ROI / TCO. Tecnología vs servicio.

13 Algunas ideas…

14 The enterprise of the future – Implications for the CIO - IBM El enfoque operativo de seguridad es contrario a la generación de valor e innovación

15 Tendencias regulatorias El fin del anonimato?... …la justificación que necesitábamos?

16 Consumerización (qué?!) Consumerization is the growing tendency for new information technology to emerge first in the consumer market and then spread into business and government organizations. http://en.wikipedia.org/wiki/Consumerization Es cada vez más difícil decirle NO al usuario The primary impact of consumerization is that it is forcing businesses, especially large enterprises, to rethink the way they procure and manage IT equipment and services. Historically, central IT organizations controlled the great majority of IT usage within their firms, choosing or at least approving of the systems and services that employees used. Consumerization enables alternative approaches. Today, employees and departments are becoming increasing self-sufficient in meeting their IT needs.

17 Metodología Identificar necesidades Definir zonas de riesgo Crear controles a medida Monitorear globalmente Procesos proactivos Mejora continua Identificar necesidades Definir zonas de riesgo Crear controles a medida Monitorear globalmente Procesos proactivos Mejora continua

18 Consumir vs. crear servicios de seguridad

19 Seguridad en procesos de negocio HP Enterprise Security: Next-Generation Application Monitoring: Combining Application Security Monitoring and SIEM

20 Quién tiene la primera pregunta? GRACIAS Gabriel Marcos Product Manager – Columbus Networks gmarcos@columbus-business.com @jarvel

Descargar ppt "Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks"

Presentaciones similares

Español la memoria (2): cómo trabajarla bien en grupos.

Español la memoria (2): cómo trabajarla bien en grupos.
In it to win it. Soy Dale … Responde a las preguntas : Tenéis solo 10 minutos. Cuando la alarma suena, los que están en las sillas ganan.

In it to win it. Soy Dale … Responde a las preguntas : Tenéis solo 10 minutos. Cuando la alarma suena, los que están en las sillas ganan.
Teaching in the Target Language. Sample of Story Focus for Vocabulary Acquisition Isabel veía películas románticas. -¿Veía Isabel películas románticas?

Teaching in the Target Language. Sample of Story Focus for Vocabulary Acquisition Isabel veía películas románticas. -¿Veía Isabel películas románticas?
You need to improve the way you write and think in Spanish – At what time? This is an interactive presentation. You need your worksheet, your pencil, and.

You need to improve the way you write and think in Spanish – At what time? This is an interactive presentation. You need your worksheet, your pencil, and.
MOY Meeting Joyce Tucker Meghan Heller November 3, 2011.

MOY Meeting Joyce Tucker Meghan Heller November 3, 2011.
Las Palabras Interrogativas

Las Palabras Interrogativas
Mr. Redaelli OnlineTaco.com. To Have - Tener Yo tengo – I have Tú tienes – You have (Informal) Usted tiene – You have (Formal) El tiene – He has Ella.

Mr. Redaelli OnlineTaco.com. To Have - Tener Yo tengo – I have Tú tienes – You have (Informal) Usted tiene – You have (Formal) El tiene – He has Ella.
TOWARDS A NEW ECONOMIC BILL Héctor Silva Meeting - Breakfast September 16, 2009.

TOWARDS A NEW ECONOMIC BILL Héctor Silva Meeting - Breakfast September 16, 2009.
POLICY MAKING ON MIGRATION THE COSTA RICAN EXPERIENCE Luis Alonso Serrano Echeverría Head of the Planning Department General Direction of Migration & Alien.

POLICY MAKING ON MIGRATION THE COSTA RICAN EXPERIENCE Luis Alonso Serrano Echeverría Head of the Planning Department General Direction of Migration & Alien.
Aspectos financieros del Sistema Nacional de Áreas Silvestres Protegidas – SINASIP en el Paraguay: un breve resumen. Financial aspects of the National.

Aspectos financieros del Sistema Nacional de Áreas Silvestres Protegidas – SINASIP en el Paraguay: un breve resumen. Financial aspects of the National.
RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco RENAISSANCE - ZARAGOZA - SPAIN 1.
RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco 1 WP 1.5 Description of work (month.

RENAISSANCE es un proyecto del programa CONCERTO co-financiado por la Comisión Europea dentro del Sexto Programa Marco 1 WP 1.5 Description of work (month.
Capítulo 3 Nuevas clases, nuevos amigos PRIMER PASO

Capítulo 3 Nuevas clases, nuevos amigos PRIMER PASO
PLEASE READ (hidden slide) This template uses Microsofts corporate font, Segoe Segoe is not a standard font included with Windows, so if you have not.

PLEASE READ (hidden slide) This template uses Microsofts corporate font, Segoe Segoe is not a standard font included with Windows, so if you have not.
ALC 53 lunes el 14 de diciembre Use your own paper for this weeks ALC. You will turn them in on Friday.

ALC 53 lunes el 14 de diciembre Use your own paper for this weeks ALC. You will turn them in on Friday.
Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.

Grupos de Trabajo 6 - Informe Working Group 6 – Report Transparency.
Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.

Grupos de Trabajo # 7 - Informe Working Group # 7 – Report General Business and Operational Risks.
BIENVENIDOS AL WORKSHOP DE ACSDA SOBRE LOS PRINCIPIOS DE INFRAESTRUCTURAS FINANCIERAS DE MERCADO WELCOME TO ACSDAS FINANCIAL MARKET INFRASTRUCTURES PRINCIPLES.

BIENVENIDOS AL WORKSHOP DE ACSDA SOBRE LOS PRINCIPIOS DE INFRAESTRUCTURAS FINANCIERAS DE MERCADO WELCOME TO ACSDAS FINANCIAL MARKET INFRASTRUCTURES PRINCIPLES.
Empresa y Sociedad Tema 1. Teoría de la Empresa y de la Sociedad Dr. Antonio Lloret 17 de Enero de 2011.

Empresa y Sociedad Tema 1. Teoría de la Empresa y de la Sociedad Dr. Antonio Lloret 17 de Enero de 2011.
The Plurals of Adjectives

The Plurals of Adjectives

Presentaciones similares

Anuncios Google