Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cyber Schmyber: The Relevance of Principles
Andrea C Simmons, FBCS CITP, CISSP, CISM, MA, M.Inst.ISP, ISSA Senior
Member
25th March 2013
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
The premise
• Worshipping at the foot of all things "cyber" (or indeed "cloud") is proving to
be a distraction that is taking us off course from succeeding at our
necessary information security endeavours - from building security in across
both the software design landscape and the infrastructure architecture, to
ensuring board level understanding.
• There is less of a "cyber skills crisis" and more of an "understanding
crisis".
• So let’s cut through the cyber-waffle and bring us back to the basics in a
strongly impassioned plea.
• "cyber" requires a full and detailed understanding of the basics; basics that
still hold true as first principles and must be learned in the same way
as learning that Tuesday follows Monday, or "30 days hath September, April,
June and November"……
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Cyber in the news…/ on t’internet
• Cyber Attack – South Korean banks and broadcasters
• http://www.telegraph.co.uk/technology/internet-security/9943388/Cyber-warfare-more-must-
be-done.html
• http://www.slideshare.net/moriyachi/cyber-attack-on-south-korean-2013323-02
• North Korea – hacking warriors being trained
• http://www.huffingtonpost.com/2013/03/24/north-korea-cyber-warfare-warriors-trained-
teams_n_2943907.html
• Top 20 Controls
• http://www.cpni.gov.uk/advice/cyber/
• China IP address link to South Korea attack
• http://www.bbc.co.uk/news/world-asia-21873017
Our response should be simple..."we are not afraid", as we
have the practices and technology necessary to blunt these
types of attacks
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Collective self deception
To die for an idea;
it is unquestionably noble.
But how much nobler it would be if men died for ideas that were
true! H.L. Mencken
The greatest enemy of knowledge is not ignorance,
it is the illusion of knowledge. Prof Stephen Hawkin
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
The Library of Babel
• Enshrines all information
• Yet no knowledge can be discovered there precisely
because all knowledge is there
• Shelved side by side with all falsehood
Jorge Luis Borges, 1941
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Cyber is only ONE element of a BIG picture
Well-Formed Risk Statement
Impact What is the impact to the business?
Probability How likely is the threat given the
controls?
Asset What are you
trying to protect?
Threat What are you
afraid of
happening?
Vulnerability How could the
threat occur?
Mitigation What is currently
reducing the risk?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Cyber is NOT new
1. Physical Security
2. Communications Security (COMSEC) [40s]
3. Operational Security (OPSEC) [50s]
4. Automated Data Processing Security [60s]
5. Computer Security (COMPUSEC) [90s]
6. IT Security (ITSEC) [90s]
7. Information Systems Security (INFOSEC) [90s]
• Merged COMSEC and COMPUSEC following rapid change in technology
• Combined in a new paradigm to become INFOSEC, internationally recognised in
Common Criteria
8. Information Assurance [00s]
9. Cyber – in the media….. [10s]
3000 BC
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
Cyber Trust and Crime Prevention
The Foresight project on Cyber Trust & Crime Prevention launched its findings on 10th
June 2004. http://www.bis.gov.uk/foresight/our-work/projects/published-projects/cyber-trust
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
InfoSec definition – US based
Protection of information systems against unauthorised access to or modification
of information, whether in storage, processing or transit and against the denial of
service to authorised users, including those measures necessary to detect,
document and counter such threats.
[NSTISSI 4009, 2000]
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
InfoSec definition – UK based
Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved [ISO/IEC 17799:2005]
• The objective of information security is to ensure the continuity of
business management and to reduce interruptions of business by
preventing and minimising the consequences of security incidents.
• Compliance - Ensuring appropriate measures are in place to enforce and
constantly check and update the policies that support the CIA above.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
CIA in motion
Confidentiality
Ensuring the information
is accessible only to
those authorised, as
some data is more
sensitive
Availability
Ensuring the access to
information is available
when and where
required and is not
denied to any authorised
user
Integrity
Protecting the accuracy
and completeness of
information
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
Confidentiality
Protecting information from being read or
copied by anyone who has not been explicitly
authorized by the owner of that information.
Related terms and concepts
• Encryption
• Shredding of documents
• Digital Signatures
• Key pairs
• Access control
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Integrity
• Verifies and maintains the accuracy and consistency of the data and prevents / detects
unauthorized changes.
• Ensures that the data was not altered and can be trusted
Related terms and concepts
• Cyclic Redundancy Check (CRC) in frame trailers
• Digital signatures
• Encryption
• Key pairs
• Locks
• Access Control
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Availability
• Ensuring that authorized users have access to information and associated assets when
required
• Mandated by most compliance standards (SOX, HIPAA, PCI....)
Related terms and concepts:
• RAID
• Alternate sites
• Clusters
• Backups
• Offsite backup storage
• Fault Tolerant
• Fire suppression system
• Business Continuity Planning/Disaster Recovery Planning
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Security defined
• Security is about preserving your assets
• keeping private “stuff” private
• keeping your secrets, secret
• making sure only people who should access what data can
• making sure your data is always there, always the way you left it
• making sure you trust your sources
• and complying with government and industry regulations.
• It’s about keeping people and your critical assets safe.
• Security is about managing your risks.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Putting it all together (c. 2006)
• Information Assurance is the confidence that the information assets
within an organisation are reliable, accurate, secure and available when
required.
• Information Assurance: • includes information held in every form (information systems, on paper, other records)
• is underpinned by a management process that takes a co-ordinated approach to information assets
across an organisation.
• embraces information management – including information security management, information and
records management, data protection, privacy (because of close confidentiality links and
Organization for Economic Co-operation and Development [OECD] guidance requirements) and
physical protection
• includes aspects of: – corporate governance – risk management – business continuity
• must be maintained throughout an organisation’s lifecycle in the face of changing threats,
vulnerabilities and dependencies.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Assurance joins it all up
This is the reporting piece,
amongst other elements
Governance
Compliance Risk
Assurance
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
HMG SPF
Seven Security Policy Documents
1. Governance, Risk Management and Compliance
2. Protective Marking and Asset Control
3. Personnel Security
4. Information Security and Assurance
5. Physical Security
6. Counter-Terrorism
7. Business Continuity
https://www.gov.uk/government/publications/security-policy-framework
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Risk and compliance must
respond to numerous
pressures
Risk Management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Uncovering the risk profile Let’s simplify this rather than segregate it
• Organizations have information assets.
• These information assets are the new “oil” of the information society.
• Information health will be the new dialogue.
• Information health relates to Big Data, bringing together issues around data quality, confidentiality,
integrity, availability (core information security principles), authenticity, provenance, etc.
• Compromise of these information assets can be detrimental to share price, reputation, or
longevity as a business.
• Education on issues and impact to increases support for information protection.
• Go beyond compliance obligations to efficient, transparent, and secure management of
cloud services, external auditing, and partnering for information asset based risk
management infrastructure architecture
What are your top 5 risks, concerns, issues,
security breaches, audit findings?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Risk management
Managing risk involves understanding what threatens the company’s assets,
assessing the vulnerabilities and likelihood that a threat-source can break
through your defenses, and implementing a strategy to strengthen defenses and
weaken the threat to minimize the damage.
Risk management is the process of identifying risk, assessing risk, and taking
steps to reduce risk to an acceptable level. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Risk management is a program, not a project.
It requires strong corporate support and ongoing focus.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Breaking it down
1. Identify information assets
2. Value of the information assets using Business Impact Assessments
3. Assess risk of the information assets - threats x likelihood x cost
4. Select controls
5. Test effectiveness of controls
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
The risk equation
Risk = Threat x Vulnerability x Cost (Impact)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Risk language
Risk capacity: the amount and type of risk an organization is able to support in pursuit of
its business objectives.
Risk appetite: the amount and type of risk an organization is willing to accept in pursuit of
its business objectives.
Risk tolerance: the specific maximum risk that an organization is willing to take regarding
each relevant risk.
Risk target: the optimal level of risk that an organization wants to take in pursuit of a
specific business goal.
Risk limit: thresholds to monitor that actual risk exposure does not deviate too much from
the risk target and stays within an organization’s risk tolerance/risk appetite. Exceeding
risk limits will typically act as a trigger for management action.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Four significant risks
Legal compliance – what law applies and how do you manage your data within
this
Reputational risk - not wanting to be in the papers....
Investment risk – unable to realise investment because of data restrictions?
Reticence risk – afraid to use data, but your competitors may be
Seven Myths of Information Governance, page 26, ISACA Journal, Volume 4, 2012, Vasant Raval, Greg Dyche –
doesn’t adequately describe Information Governance.... still not including RM, IM etc... still very IT centric
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Five neglects in Risk Management
1. Probability neglect - people sometimes don't consider the probability of the occurrence of an outcome, but focus on the consequences only.
2. Consequence neglect - just like probability neglect, sometimes individuals neglect the magnitude of outcomes.
3. Statistical neglect - instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb (if any heuristics), which can introduce systematic biases in their decisions.
4. Solution neglect - choosing an optimal solution is not possible when one fails to consider all of the solutions.
5. External risk neglect - in making decisions, individuals or groups often consider the cost/benefits of decisions only for themselves, without including externalities, sometimes leading to significant negative outcomes for others.
http://www.rff.org/Documents/Events/090622_Risk_Regulation/090622_Zeckhauser4.pdf
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
“Security is 10% product and 90%
process” – Bruce Schneier
• Security needs physical, technical and administrative controls to be in place
• Security is about embedding a framework approach incorporating people, process and
technology
• Security is about protecting your data from harm from natural disasters, from man-made
attacks, and from technical problems.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
Controls defined
Preventive controls (“before the fact”) – The most important control type since, if 100%
effective (which it never is), none of the others would be necessary – physical barriers,
passwords, etc.
Detective controls (“after the fact”) - If a preventive mechanism fails, this is the first type
of control necessary to identify the facts prior to correction – audit trails, monitoring, etc.
Corrective controls (“before or after the fact”) - designed to correct a problem once
identified – change control, overrides, etc.
Compliance controls (“enforcing the fact”) - designed to keep you inside the law and
your Chief Executive Officer out of jail – observing data protection laws, avoiding libel, etc.
Deterrent controls (“instead of the fact”) - designed to advise against certain forms of
action - security policy, logon warning, etc.
(Palmer, 2011)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
Information Security Programs
Adversaries attack the weakest link…where is yours?
Risk assessment
Security planning, policies, procedures
Configuration management and control
Contingency planning
Incident response planning
Security awareness and training
Security in acquisitions
Physical security
Personnel security
Security assessments
Certification and accreditation
Access control mechanisms
Identification & authentication mechanisms
(Biometrics, tokens, passwords)
Audit mechanisms
Encryption mechanisms
Boundary and network protection devices
(Firewalls, guards, routers, gateways)
Intrusion protection/detection systems
Security configuration settings
Anti-viral, anti-spyware, anti-spam software
Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32
HP research: Top concerns for IT executives
67% 66% 63% 54%
Extremely concerned Somewhat concerned Not very concerned
Data privacy and information
breaches
Lack of skilled resources to effectively
manage security
Risk associated with more consumption of apps/IT services across public, private & hybrid cloud
Risk associated with more consumption of
apps/IT services
Source: HP 20:20 CIO Report, 2012
Focus: Security
Breach
Management
Focus: Security
Intelligence
Focus: Cloud
Security Focus: Integrated
GRC
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33
Transformation
HP Security maturity model
Blissful ignorance Awareness Corrective Operations excellence
Level of
Control
Risk
Establish
Security Teams
& Remit
Operational
Processes
aligned to
strong security
policy
Security tracks
and enables
business and
technology
change
Actionable
security
intelligence &
monitoring
capability
Lower total cost of ownership
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34
HP complete information security principles
Hybrid Security Infrastructure
Governance, Risk and Compliance (GRC)
Security Operations & Intelligence
Actionable security intelligence
Integrated & optimized
security operations
Manage information security risk
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 35
Journey to the Secure Boardroom
METRICS
TRANSFORM &
OPTIMISE
MANAGE ASSESS
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36
HP approach to complete information security
HP helps customers move from security to risk management
Assess security investments and performance
Transform from silos to a comprehensive view
Optimize to proactively improve security posture
Manage security effectively
Moving from Reactive to Proactive Information Security & Risk Management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37
HP Security Service Management – Secure
Relationships
HYBRID SECURITY INFRASTRUCTURE
Governance, Risk and Compliance (GRC)
Security Operations & Intelligence
Data Center Network Apps & Data Users &
Devices
Security
Strategy Risk Policy
Architecture
& Standards
Compliance
& Audit
Performanc
e Metrics
OP Sec Monitoring TVM Incident
Response IAM BCRS
E-Mail Security
Database Security
Web/URL Filtering
DLP – In Motion
Secure Perimeter
Web Application FW
DLP – In Use
Cloud Infrastructure
Security
Endpoint Protection
Enterprise Mobile
Security
DLP – At Rest
IDS/IPS
Encryption Network Access Control
Application Vuln
Scanning
Secure Application
Development & Delivery
CU
ST
OM
ER
S
PA
RT
NE
RS
SU
PP
LIE
RS
SECURITY
SERVICE
MANAGEMENT
(SSM) SSM SLAs & Metrics
SSM Control
Framework
SSM Hub
Security
Service
Mgmt (SSM)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38
HP Enterprise Security Solutions delivered
globally
Security monitoring and management
Governance, risk and
compliance management
Security intelligence +
analytics
Network security
Security breach solutions
Integrated operations
Data management
Cloud security solutions
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39
Trust is at the heart of this
Cyber Trust and Crime Prevention, 11 years ago…..
• Trust is a major principle underlying the development of security
policies
• Initial step is to determine who gets access
• Deciding on level of trust is a delicate balancing act
• Too much trust may lead to eventual security problems
• Too little trust may make it difficult to find and keep employees or get
jobs done
• How much should you trust people regarding to their access or
usage of computer and network resources?
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40
Possible trust models
Trust everyone all of the time:
• easiest to enforce, but impractical
• one bad apple can ruin the whole barrel
Trust no one at no time:
• most restrictive, but also impractical
• difficult to staff positions
Trust some people some of the time:
• exercise caution in amount of trust given
• access is given out as needed
• technical controls are needed to ensure trust is not violated
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41
Cyber Hygiene
• Unpatched and out of date machines put us all at risk
• Hygiene as a meme (memetics) - an idea, behavior or
style that spreads from person to person within a culture
• Semiotics - the study of signs and sign processes
(semiosis), likeness, analogy, metaphor, symbolism,
signification, and communication.
• Me centric vs us centric / Free riding vs common good
• Check out: http://www.zdnet.com/10-security-best-
practice-guidelines-for-consumers-7000012171/
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 42
http://www.getsafeonline.org/
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43
Pink Bat Thinking
Pink bat thinking required – to get passed the sensory overload of all things
Cyber
Turn the problem into the solution…..
http://play.simpletruths.com/movie/pink-bat/?cm_mmc=CheetahMail-_MO-_-
10.10.11-_-
TPODmovie&utm_source=CheetahMail&utm_campaign=TPODmovie
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 44
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Andrea C. Simmons, CISSP, CISM, FBCS CITP, M.Inst.ISP, MA
Email: [email protected] / [email protected]
Blog: www.bcs.org/blogs/security
LinkedIn: www.linkedin.com/in/andreasimmons
Mobile: +44 7961 508775
Land: +44 1905 356268
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 46
We can protect what matters.
Together.
HP Enterprise Security
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Appendices
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 48
Andrea Simmons FBCS CITP CISM CISSP MA M.Inst.ISP
Global Head of Policy & Risk Governance for HP Enterprise Security Services
Information security/assurance/governance/compliance evangelist with expertise in several disciplines garnered over 15 years
in the industry working across the public and private sector. The endeavor is always to shape the information security
landscape and develop the Information Assurance Profession for the future.
Achievements
Author of Achieving Best Practice in Public Sector Information Security, Ark Group Publishing, ISBN 978-1-906355-39-5,
published December 2008
Author of Once more unto the Breach – Managing Information Security in an Uncertain World, ISBN: 9781849283885,
published Spring 2012, http://www.itgovernance.co.uk/products/3901
Fellow of the BCS, Chartered Institute for IT, occassional Security blogger - http://www.bcs.org/blogs/security and member of
the Security Community of Expertise
Management Committee Member of the Information Assurance Advisory Council, http://www.iaac.org.uk/
Director of the Institute of Information Security Professionals, http://www.instisp.org/
Senior Member of the ISSA, http://www.issa.org/
ISACA member, http://www.isaca.org/
Volunteer delivering Safe and Secure Online programs to UK schools for ISC2, https://www.isc2.org/