La descarga está en progreso. Por favor, espere

La descarga está en progreso. Por favor, espere

Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks

Presentaciones similares


Presentación del tema: "Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks"— Transcripción de la presentación:

1

2 Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus

3 Una pelea desigual PRESUPUESTO DÍA A DÍA PROYECTOS HACKERS RIESGOS CONOCIDOS RIESGOS POTENCIALES POLÍTICAS CORPORATIVAS HACKERS RIESGOS DESCONOCIDOS

4 DNS Grupos Usuarios Dominios Perfiles Parches Clusters Load balancing IP address DNS Grupos Usuarios Dominios Perfiles Parches Clusters Load balancing IP address Documentación Manejo de inventario Licenciamiento Scripts Configuraciones Change management Bases de conocimiento Training Documentación Manejo de inventario Licenciamiento Scripts Configuraciones Change management Bases de conocimiento Training Ejemplo: tareas de un administrador Se enfoca en seguridad en su tiempo libre…

5 Ejemplo: pandillas de cibercriminales 6 personas - 5 años de afectados 100 países U$S 14 MM de ingresos

6 Brazilian banks were targets for distributed denial-of-service attacks, with massive assaults against HSBC Brazil, Banco da Brasil, Itau Unibanco Multiplo SA and Banco Bradesco SA. Hactivists took credit for the DDoS spree. Una mirada al 2012 At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said s will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in .

7 Brazilian banks were targets for distributed denial-of-service attacks, with massive assaults against HSBC Brazil, Banco da Brasil, Itau Unibanco Multiplo SA and Banco Bradesco SA. Hactivists took credit for the DDoS spree. Una mirada al 2012 At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorised that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it. Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords. Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections. Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats. About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said s will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in . BOTNET CONFIG ERROR EXTORSION HACTIVISMO DDOS PHISHING

8 Ejemplo: APT (Advanced Persistent Threat) Websense Threat Report2012 The Year in Review for Threats

9

10 La cruda realidad: En la mayoría de los casos, estamos indefensos y a merced de quien quiera realizar un mínimo esfuerzo para conseguir explotar una vulnerabilidad. Las medidas de seguridad que están implementadas en muchas organizaciones resultan insuficientes para entregar un nivel mínimo de seguridad. La cruda realidad: En la mayoría de los casos, estamos indefensos y a merced de quien quiera realizar un mínimo esfuerzo para conseguir explotar una vulnerabilidad. Las medidas de seguridad que están implementadas en muchas organizaciones resultan insuficientes para entregar un nivel mínimo de seguridad.

11 Enfoque de la gestión del riesgo: lo que dice el manual… PLAN DO ACT CHECK Políticas de seguridad Organización de la información Administración de activos Recursos humanos Seguridad física y ambiental Seguridad de las operaciones Control de acceso Desarrollo y mantenimiento de sistemas Gestión de incidentes Continuidad del negocio Cumplimiento legal y regulatorio

12 Seguridad de la información PLAN DO ACT CHECK ENFOQUE OPERATIVO …lo que pasa en realidad: Falta de información Qué tan efectivos son los controles? Seguro que estamos atacando TODOS los problemas? Dónde enfocar la solución? Falta de ejecución Expectativas vs funcionalidad. Servicio funcionando o garantizado? Riesgo acotado? Soluciones fáciles poco efectivas. Falta de dirección Hoy vs. Mañana. Cumplimiento regulatorio. ROI / TCO. Tecnología vs servicio.

13 Algunas ideas…

14 The enterprise of the future – Implications for the CIO - IBM El enfoque operativo de seguridad es contrario a la generación de valor e innovación

15 Tendencias regulatorias El fin del anonimato?... …la justificación que necesitábamos?

16 Consumerización (qué?!) Consumerization is the growing tendency for new information technology to emerge first in the consumer market and then spread into business and government organizations. Es cada vez más difícil decirle NO al usuario The primary impact of consumerization is that it is forcing businesses, especially large enterprises, to rethink the way they procure and manage IT equipment and services. Historically, central IT organizations controlled the great majority of IT usage within their firms, choosing or at least approving of the systems and services that employees used. Consumerization enables alternative approaches. Today, employees and departments are becoming increasing self-sufficient in meeting their IT needs.

17 Metodología Identificar necesidades Definir zonas de riesgo Crear controles a medida Monitorear globalmente Procesos proactivos Mejora continua Identificar necesidades Definir zonas de riesgo Crear controles a medida Monitorear globalmente Procesos proactivos Mejora continua

18 Consumir vs. crear servicios de seguridad

19 Seguridad en procesos de negocio HP Enterprise Security: Next-Generation Application Monitoring: Combining Application Security Monitoring and SIEM

20 Quién tiene la primera pregunta? GRACIAS Gabriel Marcos Product Manager – Columbus


Descargar ppt "Seguridad en los procesos de negocio: herramientas para una gestión integral del riesgo Gabriel Marcos Product Manager – Columbus Networks"

Presentaciones similares


Anuncios Google