Title (46 pt. HP Simplified bold) · 2016-11-18 · ensuring board level understanding. • There is less of a "cyber skills crisis" and more of an "understanding crisis". • So

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Cyber Schmyber: The Relevance of Principles

Andrea C Simmons, FBCS CITP, CISSP, CISM, MA, M.Inst.ISP, ISSA Senior

Member

25th March 2013

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

The premise

• Worshipping at the foot of all things "cyber" (or indeed "cloud") is proving to

be a distraction that is taking us off course from succeeding at our

necessary information security endeavours - from building security in across

both the software design landscape and the infrastructure architecture, to

ensuring board level understanding.

• There is less of a "cyber skills crisis" and more of an "understanding

crisis".

• So let’s cut through the cyber-waffle and bring us back to the basics in a

strongly impassioned plea.

• "cyber" requires a full and detailed understanding of the basics; basics that

still hold true as first principles and must be learned in the same way

as learning that Tuesday follows Monday, or "30 days hath September, April,

June and November"……


Cyber in the news…/ on t’internet

• Cyber Attack – South Korean banks and broadcasters

• http://www.telegraph.co.uk/technology/internet-security/9943388/Cyber-warfare-more-must-

be-done.html

• http://www.slideshare.net/moriyachi/cyber-attack-on-south-korean-2013323-02

• North Korea – hacking warriors being trained

• http://www.huffingtonpost.com/2013/03/24/north-korea-cyber-warfare-warriors-trained-

teams_n_2943907.html

• Top 20 Controls

• http://www.cpni.gov.uk/advice/cyber/

• China IP address link to South Korea attack

• http://www.bbc.co.uk/news/world-asia-21873017

Our response should be simple..."we are not afraid", as we

have the practices and technology necessary to blunt these

types of attacks

http://www.telegraph.co.uk/technology/internet-security/9943388/Cyber-warfare-more-must-be-done.html















http://www.slideshare.net/moriyachi/cyber-attack-on-south-korean-2013323-02

















http://www.huffingtonpost.com/2013/03/24/north-korea-cyber-warfare-warriors-trained-teams_n_2943907.html















http://www.cpni.gov.uk/advice/cyber/




http://www.bbc.co.uk/news/world-asia-21873017








Collective self deception

To die for an idea;

it is unquestionably noble.

But how much nobler it would be if men died for ideas that were

true! H.L. Mencken

The greatest enemy of knowledge is not ignorance,

it is the illusion of knowledge. Prof Stephen Hawkin


The Library of Babel

• Enshrines all information

• Yet no knowledge can be discovered there precisely

because all knowledge is there

• Shelved side by side with all falsehood

Jorge Luis Borges, 1941


Cyber is only ONE element of a BIG picture

Well-Formed Risk Statement

Impact What is the impact to the business?

Probability How likely is the threat given the

controls?

Asset What are you

trying to protect?

Threat What are you

afraid of

happening?

Vulnerability How could the

threat occur?

Mitigation What is currently

reducing the risk?


Cyber is NOT new

1. Physical Security

2. Communications Security (COMSEC) [40s]

3. Operational Security (OPSEC) [50s]

4. Automated Data Processing Security [60s]

5. Computer Security (COMPUSEC) [90s]

6. IT Security (ITSEC) [90s]

7. Information Systems Security (INFOSEC) [90s]

• Merged COMSEC and COMPUSEC following rapid change in technology

• Combined in a new paradigm to become INFOSEC, internationally recognised in

Common Criteria

8. Information Assurance [00s]

9. Cyber – in the media….. [10s]

3000 BC


Cyber Trust and Crime Prevention

The Foresight project on Cyber Trust & Crime Prevention launched its findings on 10th

June 2004. http://www.bis.gov.uk/foresight/our-work/projects/published-projects/cyber-trust

http://www.bis.gov.uk/foresight/our-work/projects/published-projects/cyber-trust











InfoSec definition – US based

Protection of information systems against unauthorised access to or modification

of information, whether in storage, processing or transit and against the denial of

service to authorised users, including those measures necessary to detect,

document and counter such threats.

[NSTISSI 4009, 2000]


InfoSec definition – UK based

Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved [ISO/IEC 17799:2005]

• The objective of information security is to ensure the continuity of

business management and to reduce interruptions of business by

preventing and minimising the consequences of security incidents.

• Compliance - Ensuring appropriate measures are in place to enforce and

constantly check and update the policies that support the CIA above.



CIA in motion

Confidentiality

Ensuring the information

is accessible only to

those authorised, as

some data is more

sensitive

Availability

Ensuring the access to

information is available

when and where

required and is not

denied to any authorised

user

Integrity

Protecting the accuracy

and completeness of

information


Confidentiality

Protecting information from being read or

copied by anyone who has not been explicitly

authorized by the owner of that information.

Related terms and concepts

• Encryption

• Shredding of documents

• Digital Signatures

• Key pairs

• Access control


Integrity

• Verifies and maintains the accuracy and consistency of the data and prevents / detects

unauthorized changes.

• Ensures that the data was not altered and can be trusted

Related terms and concepts

• Cyclic Redundancy Check (CRC) in frame trailers

• Digital signatures

• Encryption

• Key pairs

• Locks

• Access Control


Availability

• Ensuring that authorized users have access to information and associated assets when

required

• Mandated by most compliance standards (SOX, HIPAA, PCI....)

Related terms and concepts:

• RAID

• Alternate sites

• Clusters

• Backups

• Offsite backup storage

• Fault Tolerant

• Fire suppression system

• Business Continuity Planning/Disaster Recovery Planning


Security defined

• Security is about preserving your assets

• keeping private “stuff” private

• keeping your secrets, secret

• making sure only people who should access what data can

• making sure your data is always there, always the way you left it

• making sure you trust your sources

• and complying with government and industry regulations.

• It’s about keeping people and your critical assets safe.

• Security is about managing your risks.


Putting it all together (c. 2006)

• Information Assurance is the confidence that the information assets

within an organisation are reliable, accurate, secure and available when

required.

• Information Assurance: • includes information held in every form (information systems, on paper, other records)

• is underpinned by a management process that takes a co-ordinated approach to information assets

across an organisation.

• embraces information management – including information security management, information and

records management, data protection, privacy (because of close confidentiality links and

Organization for Economic Co-operation and Development [OECD] guidance requirements) and

physical protection

• includes aspects of: – corporate governance – risk management – business continuity

• must be maintained throughout an organisation’s lifecycle in the face of changing threats,

vulnerabilities and dependencies.


Assurance joins it all up

This is the reporting piece,

amongst other elements

Governance

Compliance Risk

Assurance


HMG SPF

Seven Security Policy Documents

1. Governance, Risk Management and Compliance

2. Protective Marking and Asset Control

3. Personnel Security

4. Information Security and Assurance

5. Physical Security

6. Counter-Terrorism

7. Business Continuity

https://www.gov.uk/government/publications/security-policy-framework


Risk and compliance must

respond to numerous

pressures

Risk Management


Uncovering the risk profile Let’s simplify this rather than segregate it

• Organizations have information assets.

• These information assets are the new “oil” of the information society.

• Information health will be the new dialogue.

• Information health relates to Big Data, bringing together issues around data quality, confidentiality,

integrity, availability (core information security principles), authenticity, provenance, etc.

• Compromise of these information assets can be detrimental to share price, reputation, or

longevity as a business.

• Education on issues and impact to increases support for information protection.

• Go beyond compliance obligations to efficient, transparent, and secure management of

cloud services, external auditing, and partnering for information asset based risk

management infrastructure architecture

What are your top 5 risks, concerns, issues,

security breaches, audit findings?


Risk management

Managing risk involves understanding what threatens the company’s assets,

assessing the vulnerabilities and likelihood that a threat-source can break

through your defenses, and implementing a strategy to strengthen defenses and

weaken the threat to minimize the damage.

Risk management is the process of identifying risk, assessing risk, and taking

steps to reduce risk to an acceptable level. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Risk management is a program, not a project.

It requires strong corporate support and ongoing focus.


Breaking it down

1. Identify information assets

2. Value of the information assets using Business Impact Assessments

3. Assess risk of the information assets - threats x likelihood x cost

4. Select controls

5. Test effectiveness of controls


The risk equation

Risk = Threat x Vulnerability x Cost (Impact)


Risk language

Risk capacity: the amount and type of risk an organization is able to support in pursuit of

its business objectives.

Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of

its business objectives.

Risk tolerance: the specific maximum risk that an organization is willing to take regarding

each relevant risk.

Risk target: the optimal level of risk that an organization wants to take in pursuit of a

specific business goal.

Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from

the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding

risk limits will typically act as a trigger for management action.


Four significant risks

Legal compliance – what law applies and how do you manage your data within

this

Reputational risk - not wanting to be in the papers....

Investment risk – unable to realise investment because of data restrictions?

Reticence risk – afraid to use data, but your competitors may be

Seven Myths of Information Governance, page 26, ISACA Journal, Volume 4, 2012, Vasant Raval, Greg Dyche –

doesn’t adequately describe Information Governance.... still not including RM, IM etc... still very IT centric


Five neglects in Risk Management

1. Probability neglect - people sometimes don't consider the probability of the occurrence of an outcome, but focus on the consequences only.

2. Consequence neglect - just like probability neglect, sometimes individuals neglect the magnitude of outcomes.

3. Statistical neglect - instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb (if any heuristics), which can introduce systematic biases in their decisions.

4. Solution neglect - choosing an optimal solution is not possible when one fails to consider all of the solutions.

5. External risk neglect - in making decisions, individuals or groups often consider the cost/benefits of decisions only for themselves, without including externalities, sometimes leading to significant negative outcomes for others.

http://www.rff.org/Documents/Events/090622_Risk_Regulation/090622_Zeckhauser4.pdf


“Security is 10% product and 90%

process” – Bruce Schneier

• Security needs physical, technical and administrative controls to be in place

• Security is about embedding a framework approach incorporating people, process and

technology

• Security is about protecting your data from harm from natural disasters, from man-made

attacks, and from technical problems.


Controls defined

Preventive controls (“before the fact”) – The most important control type since, if 100%

effective (which it never is), none of the others would be necessary – physical barriers,

passwords, etc.

Detective controls (“after the fact”) - If a preventive mechanism fails, this is the first type

of control necessary to identify the facts prior to correction – audit trails, monitoring, etc.

Corrective controls (“before or after the fact”) - designed to correct a problem once

identified – change control, overrides, etc.

Compliance controls (“enforcing the fact”) - designed to keep you inside the law and

your Chief Executive Officer out of jail – observing data protection laws, avoiding libel, etc.

Deterrent controls (“instead of the fact”) - designed to advise against certain forms of

action - security policy, logon warning, etc.

(Palmer, 2011)



Information Security Programs

Adversaries attack the weakest link…where is yours?

Risk assessment

Security planning, policies, procedures

Configuration management and control

Contingency planning

Incident response planning

Security awareness and training

Security in acquisitions

Physical security

Personnel security

Security assessments

Certification and accreditation

Access control mechanisms

Identification & authentication mechanisms

(Biometrics, tokens, passwords)

Audit mechanisms

Encryption mechanisms

Boundary and network protection devices

(Firewalls, guards, routers, gateways)

Intrusion protection/detection systems

Security configuration settings

Anti-viral, anti-spyware, anti-spam software

Smart cards

Links in the Security Chain: Management, Operational, and Technical Controls


HP research: Top concerns for IT executives

67% 66% 63% 54%

Extremely concerned Somewhat concerned Not very concerned

Data privacy and information

breaches

Lack of skilled resources to effectively

manage security

Risk associated with more consumption of apps/IT services across public, private & hybrid cloud

Risk associated with more consumption of

apps/IT services

Source: HP 20:20 CIO Report, 2012

Focus: Security

Breach

Management

Focus: Security

Intelligence

Focus: Cloud

Security Focus: Integrated

GRC


Transformation

HP Security maturity model

Blissful ignorance Awareness Corrective Operations excellence

Level of

Control

Risk

Establish

Security Teams

& Remit

Operational

Processes

aligned to

strong security

policy

Security tracks

and enables

business and

technology

change

Actionable

security

intelligence &

monitoring

capability

Lower total cost of ownership


HP complete information security principles

Hybrid Security Infrastructure

Governance, Risk and Compliance (GRC)

Security Operations & Intelligence

Actionable security intelligence

Integrated & optimized

security operations

Manage information security risk


Journey to the Secure Boardroom

METRICS

TRANSFORM &

OPTIMISE

MANAGE ASSESS


HP approach to complete information security

HP helps customers move from security to risk management

Assess security investments and performance

Transform from silos to a comprehensive view

Optimize to proactively improve security posture

Manage security effectively

Moving from Reactive to Proactive Information Security & Risk Management


HP Security Service Management – Secure

Relationships

HYBRID SECURITY INFRASTRUCTURE

Governance, Risk and Compliance (GRC)

Security Operations & Intelligence

Data Center Network Apps & Data Users &

Devices

Security

Strategy Risk Policy

Architecture

& Standards

Compliance

& Audit

Performanc

e Metrics

OP Sec Monitoring TVM Incident

Response IAM BCRS

E-Mail Security

Database Security

Web/URL Filtering

DLP – In Motion

Secure Perimeter

Web Application FW

DLP – In Use

Cloud Infrastructure

Security

Endpoint Protection

Enterprise Mobile

Security

DLP – At Rest

IDS/IPS

Encryption Network Access Control

Application Vuln

Scanning

Secure Application

Development & Delivery

CU

ST

OM

ER

S

PA

RT

NE

RS

SU

PP

LIE

RS

SECURITY

SERVICE

MANAGEMENT

(SSM) SSM SLAs & Metrics

SSM Control

Framework

SSM Hub

Security

Service

Mgmt (SSM)


HP Enterprise Security Solutions delivered

globally

Security monitoring and management

Governance, risk and

compliance management

Security intelligence +

analytics

Network security

Security breach solutions

Integrated operations

Data management

Cloud security solutions


Trust is at the heart of this

Cyber Trust and Crime Prevention, 11 years ago…..

• Trust is a major principle underlying the development of security

policies

• Initial step is to determine who gets access

• Deciding on level of trust is a delicate balancing act

• Too much trust may lead to eventual security problems

• Too little trust may make it difficult to find and keep employees or get

jobs done

• How much should you trust people regarding to their access or

usage of computer and network resources?


Possible trust models

Trust everyone all of the time:

• easiest to enforce, but impractical

• one bad apple can ruin the whole barrel

Trust no one at no time:

• most restrictive, but also impractical

• difficult to staff positions

Trust some people some of the time:

• exercise caution in amount of trust given

• access is given out as needed

• technical controls are needed to ensure trust is not violated


Cyber Hygiene

• Unpatched and out of date machines put us all at risk

• Hygiene as a meme (memetics) - an idea, behavior or

style that spreads from person to person within a culture

• Semiotics - the study of signs and sign processes

(semiosis), likeness, analogy, metaphor, symbolism,

signification, and communication.

• Me centric vs us centric / Free riding vs common good

• Check out: http://www.zdnet.com/10-security-best-

practice-guidelines-for-consumers-7000012171/

http://en.wikipedia.org/wiki/Semiosis

http://www.zdnet.com/10-security-best-practice-guidelines-for-consumers-7000012171/




















http://www.getsafeonline.org/


Pink Bat Thinking

Pink bat thinking required – to get passed the sensory overload of all things

Cyber

Turn the problem into the solution…..

http://play.simpletruths.com/movie/pink-bat/?cm_mmc=CheetahMail-_MO-_-

10.10.11-_-

TPODmovie&utm_source=CheetahMail&utm_campaign=TPODmovie

http://play.simpletruths.com/movie/pink-bat/?cm_mmc=CheetahMail-_MO-_-10.10.11-_-TPODmovie&utm_source=CheetahMail&utm_campaign=TPODmovie
























Thank you

Andrea C. Simmons, CISSP, CISM, FBCS CITP, M.Inst.ISP, MA

Email: [email protected] / [email protected]

Blog: www.bcs.org/blogs/security

LinkedIn: www.linkedin.com/in/andreasimmons

Mobile: +44 7961 508775

Land: +44 1905 356268


We can protect what matters.

Together.

HP Enterprise Security


Appendices


Andrea Simmons FBCS CITP CISM CISSP MA M.Inst.ISP

Global Head of Policy & Risk Governance for HP Enterprise Security Services

Information security/assurance/governance/compliance evangelist with expertise in several disciplines garnered over 15 years

in the industry working across the public and private sector. The endeavor is always to shape the information security

landscape and develop the Information Assurance Profession for the future.

Achievements

Author of Achieving Best Practice in Public Sector Information Security, Ark Group Publishing, ISBN 978-1-906355-39-5,

published December 2008

Author of Once more unto the Breach – Managing Information Security in an Uncertain World, ISBN: 9781849283885,

published Spring 2012, http://www.itgovernance.co.uk/products/3901

Fellow of the BCS, Chartered Institute for IT, occassional Security blogger - http://www.bcs.org/blogs/security and member of

the Security Community of Expertise

Management Committee Member of the Information Assurance Advisory Council, http://www.iaac.org.uk/

Director of the Institute of Information Security Professionals, http://www.instisp.org/

Senior Member of the ISSA, http://www.issa.org/

ISACA member, http://www.isaca.org/

Volunteer delivering Safe and Secure Online programs to UK schools for ISC2, https://www.isc2.org/

http://www.itgovernance.co.uk/products/3901



http://www.bcs.org/blogs/security

http://www.iaac.org.uk/

http://www.instisp.org/



http://www.issa.org/



http://www.isaca.org/



https://www.isc2.org/


