Managing Information Security Risks

Ken M. Shaurette, CISSP, CISA, CISM, IAMInformation Security Solutions Manager

MPC Security Solutions

TechFestDecember 2003

Agenda• Why Security? • Information Assets• Threats• Vulnerabilities• Dynamic Security Methodology• Risk Management• MPC Security Solutions Delivers

• Legislation and community pressure • Inappropriate use leads to

disciplinary action.• Protecting critical infrastructures.

(InfraGard, DHS)• Liability?• Its simply a good idea!

Why Security?

Regulations Touch Everyone!

Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.

Once upon a time….

Then things started to get a little ugly….

Security used to be easy to understand

• Payroll Office….– Lock on door– Lock on file cabinet– Audits

Equal Reasonable Security

• Active Directory, x.500, NDS, Shadow Passwords• VPN, PPTP, Telnet, SSH, IPSEC, Encryption• Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA• PKI, Kerberos, DES, DES3, SHA, CHAP, PAP• Client Server, Mainframe, ASP, Web Services• Thin Client, Thick Client, Skinny Client, Tall Client• Terminal Server, Distance Learning• HTTPS, SSL

Security is now a little more complex

You know more than you think…

• Information Security is about Information• Technology is a piece of the puzzle• You should not have to master technology in

order to manage risk

The “Good” News

• Technology has become easier and easier to implement

– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)

The “Bad” News

• Technology has become easier and easier to implement

– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)

What are we securing against?

• Identity Theft• Privacy issues• Copyright issues• Hijacking of

resources• Liability• Regulations

Information Assets

Which does your organization have?– Records about special programs– Resident’s information– Financial information– Health information– Statistical information

Information Assets

How do you identify value?– Accounting / “book value”– Intrinsic value / Replacement Cost– Formal quantifiable methods

(BCP/DRP)– “Gut feel”

The “Best” News

• There is hope!

Information Assets

• What is worth protecting?– Confidentiality (keeping secrets)– Integrity (tamper-proofing)– Availability (there when you need it)

• Why protect?– Community expectations– Regulatory requirements– Perception– Liability

Information Assets

How do you protect?– “Classification” (secret, top secret,

unclassified)– Policies ( separation of duties,

appropriate use)– “Security Awareness training” – “Common Sense” or “Second

Thought” approach

Information Assets

How much do you spend on protection?– Is it based on the value of the information?– Is it based on the number and likelihood of

threats?– Are vulnerabilities accounted for?– How much is enough protection? – Is Return on Investment (ROI)

Expected or Required?

Threats - Motive• What is the nature of a threat?

– Confidentiality (learning secrets)– Integrity (tampering with data)– Availability (denial of service)

• Who poses a threat to the organization?– Terrorists– Former employees– Unhappy residents– Hackers

Vulnerabilities• Absence or weakness of a safeguard

– Safeguard’s reduce likelihood of expected loss from a threat

– Can be well known, such as an IIS patch– Can be unknown, such as a design error

• Type of vulnerabilities– Technical– Non-technical

Could any of these Occur?• Sexual Harassment or stalking performed

using your Computers?• Email Threats to Residents, Officials,

Politicians?• Community questions about how their tax

money is being used.• Community asks how computer systems

are being wasted?

`

"What Are The Short Falls?”

Perform Gap

Analysis

Dynamic Security Infrastructure

"What Is Our Security Policy?”"Implement!"

"How Do We Get There?"

"Experience Feedback"

Compliance

Reporting

Compliance

Reporting

Strategy

Definition

Strategy

Definition

Security

Architecture

Security

Architecture

Deploy

Solutions

Deploy

Solutions

Periodic Re-evaluation

"Where Are We Today?"

"Where Do We Need to Be?"

BaselineCurrentSecurity

BaselineCurrentSecurity

New Risks, LegislationSecurity Requirements

New Risks, LegislationSecurity Requirements

Security Risk Management

• Understand value of information• Understand the threats• Understand vulnerabilities and

corresponding safeguards• Invest wisely in appropriate safeguards

that reduce the impact of threats. • Emergency preparedness

Risk Mitigation• Understand security risk• Understand technology• Accept Risk

– Documentation of risk acceptance is a form of mitigation.

• Defer or transfer risk– Insurance

• Mitigate risk– Technology can mitigate risk

How Can MPC Help?

• Services– Information Security Operational

Planning (ISOP)– Information Security Assessment

Project (SA)– Security Policy Review and Writing– Security Risk Management Program

How Can MPC Help?

• Services– Network Perimeter Security Sweep

(NPSS)– Internal Network Security Sweep (INSS)– Secure Network Operations Center

(RSMC) for monitoring network, (IDS or Firewall)

How Can MPC Help?• Technology

– Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5th Column)

– Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft)

– Filtering & Proxy Tools; (Websense)– Firewalls; (PIX, Cyberguard)

How Can MPC Help?

• Technology– Intrusion Detection/Prevention

(Host and Network)– Application Gateways– IP Video Surveillance– Secure Network Infrastructure Design– Wireless Technology

Thank You!