infosec base concepts and governance
TRANSCRIPT
-
8/14/2019 Infosec Base Concepts and Governance
1/157
Information Security-
Base Concepts & Leadership
Jeromie Jackson- CISSP, CISMCOBIT & ITIL Certified
[email protected] [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/14/2019 Infosec Base Concepts and Governance
2/157
Brief Bio.
President- San Diego OWASP
Vice President- San Diego ISACA
CISSP Since 1996
CISM, COBIT, & ITIL Certified
SANS Mentor
Security Solutions Architect @ TIG
Articles
* Covered on Forbes Magazine* Credit Union Business Magazine* Credit Union Magazine* CU Times* Insurance & Technology Review* CMP Media* Storage Inc.
Speaking Events
* SPC 2009* SecureIT 2008* SecureIT 2009* Interop* Government Technology
Conference (GTC)* Many Credit Union Leagues
-
8/14/2019 Infosec Base Concepts and Governance
3/157
Agenda
IT Audit is not Enough
Network Security
Web Application Security
Countermeasures
Ignorance is Risk
Managing by Measurement
-
8/14/2019 Infosec Base Concepts and Governance
4/157
IT Assessment
-
8/14/2019 Infosec Base Concepts and Governance
5/157
IT Audit is not enough
Unclear Scope
New Vulnerabilities/Risks
Use of Lagging Indicators
-
8/14/2019 Infosec Base Concepts and Governance
6/157
Common IT Audit DeficienciesThird-Party agreements and contracts weak
Employee Awareness Training needed improvement
Too many privileged accounts
Inability to document user privileges
Log collection weak
Critical assets not clearly defined & documented
DR/BCP not regularly tested
Internal controls not routinely reviewed
Change management documentation & consistency lacking
ERP systems riddled with segregation issues
- Paul Proctor and Gartner Risk & Compliance Research Community, March 2007
-
8/14/2019 Infosec Base Concepts and Governance
7/157
Human Stupidity
Changing configurations
Installing rogue programs
Human Error (audits)
-
8/14/2019 Infosec Base Concepts and Governance
8/157
-
8/14/2019 Infosec Base Concepts and Governance
9/157
Conduct anIT Risk Assessment
-
8/14/2019 Infosec Base Concepts and Governance
10/157
Critical Assets
Critical assets provide services to enable thebusiness
May be external facing
May be a single machine or set of machines
-
8/14/2019 Infosec Base Concepts and Governance
11/157
Risk Management Frameworks &Functions
Frameworks NIST (SP800-30) Octave Octave Allegro Factor Analysis for Information Risk (FAIR)
Primary FunctionsCreate Value
Integral Organizational Process ContinualSystematic Focused on Continual Improvement
Account for People, Process, andTechnology
-
8/14/2019 Infosec Base Concepts and Governance
12/157
Octave Allegro
Great for a small group
Smaller in scope than other options
Can be conducted in waves (IE: IT/Business,etc.)
-
8/14/2019 Infosec Base Concepts and Governance
13/157
Containers
Describe where the information resides
May be a single system
May be a group of systems
Does not have to be electronic
-
8/14/2019 Infosec Base Concepts and Governance
14/157
Threats
Describe theactors upon whichvulnerabilities areexecuted causingrisk to theorganization
h
-
8/14/2019 Infosec Base Concepts and Governance
15/157
Threat Trees
-
8/14/2019 Infosec Base Concepts and Governance
16/157
Vulnerabilities
Issues which cause a system or process todeliver undesirable results
May impact Confidentiality Integrity Availability
-
8/14/2019 Infosec Base Concepts and Governance
17/157
Risks
The result of a threat agentacting upon a vulnerability
Vulnerability Exploitation Compromise of sensitive
data Manipulation of
funds/account data Denial of Service against
Internet-Facing Systems
-
8/14/2019 Infosec Base Concepts and Governance
18/157
Deliverables
Identification of CriticalAssets
Ranking of Assets
Portfolio view oforganizational risks
-
8/14/2019 Infosec Base Concepts and Governance
19/157
Network Security
-
8/14/2019 Infosec Base Concepts and Governance
20/157
TCP/IP
Transport Control Protocol / Internet ProtocolInternet is based on TCP/IP
Designed for unstable networks
IPV4 prominent with IPV6 growing
TCP, UDP, & ICMP are the primary types ofpackets
-
8/14/2019 Infosec Base Concepts and Governance
21/157
TCP
Connection-OrientedUsed when integrity or state is necessary
Maintains state
3-way handshake to initiate session
Significant overhead compared to UDP
-
8/14/2019 Infosec Base Concepts and Governance
22/157
TCP/IP/Packet
-
8/14/2019 Infosec Base Concepts and Governance
23/157
Telnet
Command-Line interface to operating systemCommonly used for
Networking equipment UNIX systems
SSH should be used instead
-
8/14/2019 Infosec Base Concepts and Governance
24/157
SSH
Encrypted version of TelnetEnables remote management through CLI
Preferred method of remote management
Should be used instead of Telnet
-
8/14/2019 Infosec Base Concepts and Governance
25/157
HTTP
Hyper Text Transfer ProtocolPieces of page come across
as unique TCP connections
(images, text, etc.)
Ok to be used across
network segments External to DMZ
-
8/14/2019 Infosec Base Concepts and Governance
26/157
HTTPS
Secure HTTPEncrypted with Secure Socket Layer (SSL)orTransport Layer Security
SSL inherently flawed based on use of MD5 forhashing
Application data is now an encrypted payload
May conduct server, and client, authenticationOk to be used across network boundaries
External to DMZ
-
8/14/2019 Infosec Base Concepts and Governance
27/157
SMTP
Simple Mail Transfer ProtocolOver port 25
Used for outbound mail
Notorious for security vulnerabilities
Ok to be exposed from Internet to DMZ
-
8/14/2019 Infosec Base Concepts and Governance
28/157
SMTP Relaying
Allows someone from one domain to relayinformation through another SMTP Server
A SMTP server should only allow outboundemail from the domains it serves
-
8/14/2019 Infosec Base Concepts and Governance
29/157
EXPN/VRFY
EXPN- Expand Address This attempts to expand the list of email addresses
from a mailing list.
VRFY- Verify Address Attempts to validate email addresses
Many systems will/should provide a genericresponse
-
8/14/2019 Infosec Base Concepts and Governance
30/157
POP
POP- Post Office ProtocolPort 110
Used to receive emails
Can use Apop which uses strong authentication
APOP or IMAP are preferred methods
-
8/14/2019 Infosec Base Concepts and Governance
31/157
Server Message Block (SMB)
This is the protocol associated with Microsoftfile-sharing, and network printer, and serialports (IE: for network-based modems)
Due to the complexity and bulkiness of thisprotocol it is recommend to not allow acrossbondaries whenever possible
This should not be allowed on any Internetconnections
-
8/14/2019 Infosec Base Concepts and Governance
32/157
Remote Desktop Protocol (RDP)
Windows Terminal ServicesNot recommended to use on the Internet
Instead use; VPN Citrix HTTPS
VMWare
-
8/14/2019 Infosec Base Concepts and Governance
33/157
R-Commands
Rsh- Remote ShellRlogin- Remote Login
Rcp- Remote Copy Etc.
R-Commands allow users to define accesscontrol rights
Exploited with + + in .rlogin ,etc.
R-Commands should not be used- SSH, etc.
instead
-
8/14/2019 Infosec Base Concepts and Governance
34/157
IP Security (IPSEC)
Used for VPNsCan run in two modes
Tunnel- TCP/IP header encrypted and a new src/dst
pair is added to the connection Transport- only payload is encrypted
-
8/14/2019 Infosec Base Concepts and Governance
35/157
Tunnel Vs. Transport
-
8/14/2019 Infosec Base Concepts and Governance
36/157
Voice Over IP (VOIP)
Allows for phone conversations across IPnetworks
Many security risks
Sniffing MAC Spoofing Application Vulnerabilities
Session Hijacking
-
8/14/2019 Infosec Base Concepts and Governance
37/157
File Transfer Protocol (FTP)
Preferable protocol used to transfer filesMay be used cross-boundaries into a DMZ
Historically many vulnerabilities I often find exposure here
-
8/14/2019 Infosec Base Concepts and Governance
38/157
Trivial File Transfer Protocol (TFTP)
Similar to FTP but less interactiveNot used very often
Can be used inbound into a DMZ
-
8/14/2019 Infosec Base Concepts and Governance
39/157
UDP Pros and Cons
Connection-Less protocolNo error correction or retransmission
Doesn't require sequence # or handshake MUCH easier to spoof
Only 1 way communicationNo sequencingNo 3-way handshake
-
8/14/2019 Infosec Base Concepts and Governance
40/157
Domain Name System (DNS)
Used to resolve IP's to hostnames and vs.versa
72.167.183.41 = jeromiejackson.com
jeromiejackson.com = 72.167.183.41Single queries use UDP port 53
-
8/14/2019 Infosec Base Concepts and Governance
41/157
-
8/14/2019 Infosec Base Concepts and Governance
42/157
DNS Zone Transfers
Zone transfers provide a copy of the nametable that is stored by the DNS server
Zone Transfers occur over TCP 53
Zone Transfers should only be available toupstream providers/peers
-
8/14/2019 Infosec Base Concepts and Governance
43/157
DNS Caching
When a client requests something to beresolved it will accept more information than
what it had inquired about
DNS Redirection & Spoofing Attacker spoofs reply with bogus data Attacker replies with correct data & corrupt data Attacker compromises DNS Server & uses it to
distribute additional bogus answers to queries
Simple Network Management
-
8/14/2019 Infosec Base Concepts and Governance
44/157
Simple Network ManagementProtocol (SNMP)
Can provide vast amounts of data aboutsystems
Based on Management Information Base
(MIB)sV3 is the only one with built in authentication,privacy, and access control
Internet Control Message Protocol
-
8/14/2019 Infosec Base Concepts and Governance
45/157
Internet Control Message Protocol(ICMP)
Use for various tasksPing (Echo Request/Reply)
Host Not Reachable
Network Unreachable
Redirects
Only allow across borders if required
Hij ki
-
8/14/2019 Infosec Base Concepts and Governance
46/157
HijackingTCP Hijacking
Man-In-The-Middle TCP Reset MAC Spoofing
UDP Race condition- Respond prior to legit request
ICMP ICMP Redirect through an infected
machine/network
-
8/14/2019 Infosec Base Concepts and Governance
47/157
BREAK- Next
Web Application Security
-
8/14/2019 Infosec Base Concepts and Governance
48/157
-
8/14/2019 Infosec Base Concepts and Governance
49/157
Tools Being Used
WebScarab Allows for HTML massaging Transcoder
Firefox Developer Tools
Form Editing Subvert client-side security settings
-
8/14/2019 Infosec Base Concepts and Governance
50/157
1- Cross-Site Scripting (XSS)
XSS flaws occur whenever an application takes
user supplied data and sends it to a webbrowser without first validating or encoding thecontent.
XSS allows attackers to execute script in thevictim's browser
-
8/14/2019 Infosec Base Concepts and Governance
51/157
Worry About EncodingsOriginal URL: www.comsecinc.com/contact.php
Base64
d3d3LmNvbXNlY2luYy5jb20vY29udGFjdC5waHA=URLEncoding
www.comsecinc.com%2Fcontact.php
Derivatives to further obscure intent
Spaces or content breaks within content
@im\port'\ja\vasc\ript:alert("XSS")';
-
8/14/2019 Infosec Base Concepts and Governance
52/157
Vulnerability
Hijack user sessions
Redirect to hostile locationWebsite Defacement
Possibly introduce worms
-
8/14/2019 Infosec Base Concepts and Governance
53/157
Protection
Utilize a standard input validation mechanism
Do not attempt black-list validationJava- Use Struts
.NET- Use Microsoft Anti-XSS Library
PHP- Use htmlentities() or htmlspecialchars()
-
8/14/2019 Infosec Base Concepts and Governance
54/157
-
8/14/2019 Infosec Base Concepts and Governance
55/157
2- Injection FlawsUser-Supplied data sent to an interpreter
SQL LDAP Xpath
XML, SOAP OS command injection
-
8/14/2019 Infosec Base Concepts and Governance
56/157
VulnerabilitySQL Injection
Create, Modify,Delete,View tables/databases
OS Command Injection Read/Modify/Delete/Create files Execute Processes with Privileges of application.
-
8/14/2019 Infosec Base Concepts and Governance
57/157
-
8/14/2019 Infosec Base Concepts and Governance
58/157
-
8/14/2019 Infosec Base Concepts and Governance
59/157
Vulnerability
Hostile File Uploads
Access to Sensitive DataReading confidential data
-
8/14/2019 Infosec Base Concepts and Governance
60/157
ProtectionUse a Known Good strategy
Sanitize User Input
PHP Disable allow_url_fopen and allow_url_include Disable Register Globals & E_Restrict
Java- Ensure Security Manager is enabled for isproperly configured
.NET- Leverage least privilege via Security manager
-
8/14/2019 Infosec Base Concepts and Governance
61/157
4- Insecure Direct Object Reference
A user's direct access to object references
IE: Filenames, & directories
-
8/14/2019 Infosec Base Concepts and Governance
62/157
Vulnerability
Hostile File Uploads
Access to Sensitive DataReading confidential data
-
8/14/2019 Infosec Base Concepts and Governance
63/157
Protection
Avoid exposing private object references
Indirectly reference objects Index files as opposed to utilizing their name
-
8/14/2019 Infosec Base Concepts and Governance
64/157
5- Cross-Site Request Forgery
A CSRF attack forces a logged-on victims
browser to send a request to a vulnerable webapplication, which then performs the chosenaction on behalf of the victim.
IE: Vulnerable Banking relationship, shoppingsite, etc.
-
8/14/2019 Infosec Base Concepts and Governance
65/157
Vulnerability
Can exploit the vulnerability on behalf of the
attacker.Submit bank transfer
Send credit card information
Automatically post information out to an Internetsite
-
8/14/2019 Infosec Base Concepts and Governance
66/157
ProtectionRe-Authenticate or use transaction signing to ensure that the request isgenuine.
Set up external mechanisms such as e-mail or phone contact in order to
verify requests or notify the user of the request.Do not use GET requests (URLs) for sensitive data or to perform valuetransactions.
Use only POST methods when processing sensitive data from the user.
POST alone is insufficient protection. You must also combine it with randomtokens, out of band authentication, or re-authentication to properly protectagainst CSRF
For ASP.NET, set ViewStateUserKey Provides a similar type of check to a random token as described above.
-
8/14/2019 Infosec Base Concepts and Governance
67/157
Vulnerability
Data in errors may be useful for social
engineeringMay disclose internal object references
Often discloses account names
-
8/14/2019 Infosec Base Concepts and Governance
68/157
ProtectionDisable or limit error handling
A common error handler is often useful Can send details out-of-band
Ensure development team shares a unified
approach
-
8/14/2019 Infosec Base Concepts and Governance
69/157
7- Broken Authentication & SessionManagement
Allows attacker to bypass the I&A ProcessOften introduced through ancillaryauthentication functions
Logout, password management, timeout, rememberme, secret question, and account update.
-
8/14/2019 Infosec Base Concepts and Governance
70/157
VulnerabilitySubversion of authentication within the
applicationPortions of application go unauthenticated
-
8/14/2019 Infosec Base Concepts and Governance
71/157
ProtectionOnly use the inbuilt session management mechanism.
Limit or rid your code of custom cookies for authenticationor session management
Use a single authentication mechanism
Do not allow the login process to start from an unencryptedpage.
Use a timeout periodCheck the old password when the user changes to a newpassword
-
8/14/2019 Infosec Base Concepts and Governance
72/157
8- Insecure Cryptographic StorageProtecting sensitive data with cryptography hasbecome a key part of most web applications.
Simply failing to encrypt sensitive data is very widespread.
-
8/14/2019 Infosec Base Concepts and Governance
73/157
VulnerabilityInappropriate information disclosure
Regulatory violation
-
8/14/2019 Infosec Base Concepts and Governance
74/157
ProtectionDo not create cryptographic algorithms.
Do not use weak algorithms, such as MD5 /SHA1.
Favor safer alternatives, such as SHA-256 or better.
Generate keys offline and store private keys
with extreme care.Ensure that encrypted data stored on disk is noteasy to decrypt.
-
8/14/2019 Infosec Base Concepts and Governance
75/157
9- Insecure CommunicationsApplications frequently fail to encrypt networktraffic when it is necessary to protect sensitive
communications.Encryption (usually SSL) must be used for allauthenticated connections.
In addition, encryption should be used whenever sensitive data is transmitted.
-
8/14/2019 Infosec Base Concepts and Governance
76/157
VulnerabilityInappropriate access to conversations
Any credentials or sensitive information transmitted.
-
8/14/2019 Infosec Base Concepts and Governance
77/157
ProtectionUse SSL for all connections that areauthenticated or transmitting sensitive or valuedata
Ensure that communications betweeninfrastructure elements are appropriatelyprotected.
Under PCI Data Security Standard requirement4, you must protect cardholder data in transit.
-
8/14/2019 Infosec Base Concepts and Governance
78/157
-
8/14/2019 Infosec Base Concepts and Governance
79/157
Vulnerability"Hidden" or "special" URLs, rendered to allusers if they know it exists
/admin/adduser.php or /approveTransfer.do.
Applications often allow access to "hidden"files, such as static XML or system generatedreports.
-
8/14/2019 Infosec Base Concepts and Governance
80/157
ProtectionEnsure the access control matrix is part of thebusiness, architecture, and design of theapplication
Perform a penetration test
Do not assume that users will be unaware ofspecial or hidden URLs or APIs.
Block access to all file types that yourapplication should never serve.
-
8/14/2019 Infosec Base Concepts and Governance
81/157
-
8/14/2019 Infosec Base Concepts and Governance
82/157
Implement Security in ProjectsThe earlier security is implemented the lowerthe cost of the project
Inception- Ensure plans meet security standards Development- Ensure it stays on track Implementation- Validate implemented
appropriately Operations- Monitor & Measure Disposal- Ensure proper asset disposal processes
-
8/14/2019 Infosec Base Concepts and Governance
83/157
Implement Standardized Processesfor Data Validation
Implement standard error handling processesto limit data exposure
Utilize standardized santization processes toensure consist quality protection
-
8/14/2019 Infosec Base Concepts and Governance
84/157
Properly Segment the EnvironmentsThree-Tier DMZ
-
8/14/2019 Infosec Base Concepts and Governance
85/157
Test All External-FacingApplications
Application test all applications accessible on
the InternetAssess all system which utilize restricted data
(Healthcare, Credit Cards, ACH Transfers, etc.)
-
8/14/2019 Infosec Base Concepts and Governance
86/157
Strength in NumbersJoin Local Associations
OWASP & ISACA
ComSec ServicesQualificationsOWASP SD Chapter President CISSP & CISM PractitionersBoard Members to ISACA ITIL & COBIT CertifiedNSS Labs Advisory Board 800+ Regulated Customers
Security Services
Virtual CISO Social EngineeringRisk Assessment Awareness TrainingSecurity Assessment Policy Development
Contact Information
Jeromie Jackson- CISSP/CISM
ComSec, Inc.
702-866-9412
mailto:[email protected]:[email protected] -
8/14/2019 Infosec Base Concepts and Governance
87/157
Part 3Technical Countermeasures
-
8/14/2019 Infosec Base Concepts and Governance
88/157
-
8/14/2019 Infosec Base Concepts and Governance
89/157
Web Application Firewall (WAF)
-
8/14/2019 Infosec Base Concepts and Governance
90/157
Monitors and mitigates web-basedvulnerabilities
Some IDS/IPS Signatures may see
Some provide application profiling Imperva Breach Data Power
Antivirus/ Anti-Malware
-
8/14/2019 Infosec Base Concepts and Governance
91/157
Mostly signature based Identified files/processesWhitelisting becoming more prevalent
Should be deployed @ the desktop & at thegateway
Preferably two different engines/vendors
-
8/14/2019 Infosec Base Concepts and Governance
92/157
Authentication
-
8/14/2019 Infosec Base Concepts and Governance
93/157
3 factors of authentication Something you knowPINPassword
Something you haveSmart CardRFID CardDigital Certificate
Something you areBiometrics
Log Management
-
8/14/2019 Infosec Base Concepts and Governance
94/157
Logs are critical importance to auditors Centralized Monitored Escalated Consistent Secure
SIMs are a great way to correlate these
Access Control
-
8/14/2019 Infosec Base Concepts and Governance
95/157
Role-BasedUser-Based
Permissions (MAC & DAC)
-
8/14/2019 Infosec Base Concepts and Governance
96/157
Discretionary Access ControlUser's discretion
Found on most multi-user operating systems
(Read, Write, Execute / User, Group, Other)
Mandatory Access Control
- Objects are given labels Labels often hard-coded Specific access control provisions used (IE: Read
down, write equal)
User Provisioning
-
8/14/2019 Infosec Base Concepts and Governance
97/157
Often resource intensiveProne to error
Provisioning software generally not cost-effective for SMB space
Maximize the applications that are AD aware,and hopefully can leverage groups for accesscontrol
Symmetric Encryption
-
8/14/2019 Infosec Base Concepts and Governance
98/157
Asymmetric Encryption
-
8/14/2019 Infosec Base Concepts and Governance
99/157
Disk Encryption
-
8/14/2019 Infosec Base Concepts and Governance
100/157
Should be deployed on all remote devicesFull-Disk is preferable
Mitigates the significant threats of a devicebeing lost/stolen
Email Encryption
-
8/14/2019 Infosec Base Concepts and Governance
101/157
Email goes over unencrypted portsSome tools require end-user to encryptoutbound
Some can have policies based on destination
Can be Symmetric or Asymmetric
SIM/SIEM
-
8/14/2019 Infosec Base Concepts and Governance
102/157
Great way to reduce cost of securityConsolidate those logs- make them useful!
Pivoting is very functional (BI for Security)
Trigeo Arcsight NetIQ
Database Auditing
-
8/14/2019 Infosec Base Concepts and Governance
103/157
Some built-in Be careful of turning auditing on without tuningImperva has a Database play
Don't let developers directly connect to the SQL port(s)
Data Loss Prevention (DLP)
G t t i i ibilit i t i l
-
8/14/2019 Infosec Base Concepts and Governance
104/157
Great way to gain visibility into previouslyunidentified risk vectors
Remember Due Diligence & Due Care
Some can import databases
Some are agent based This is good for mobile computing!
Physical Countermeasures
I f ti S it ! T h i l S it
-
8/14/2019 Infosec Base Concepts and Governance
105/157
Information Security != Technical Security
Many attacks/breaches due to physical security weaknesses
ID Cards
Various Type
-
8/14/2019 Infosec Base Concepts and Governance
106/157
Various Type RFID Cards Smart Cards MAG Stripes
-
8/14/2019 Infosec Base Concepts and Governance
107/157
Smart Cards Pros/Cons
Pros
-
8/14/2019 Infosec Base Concepts and Governance
108/157
Pros Intelligent Built-in CPU
Cons More expensive Complexity generally adds risk
Mag Stripes
Pros
-
8/14/2019 Infosec Base Concepts and Governance
109/157
Pros Cheaper cards Cheaper Readers
Cons Exploitation costs lower
Administrative Controls
Policies Procedures and Standards mitigate
-
8/14/2019 Infosec Base Concepts and Governance
110/157
Policies, Procedures, and Standards mitigateend-user risk
Do not fall under the panacea that technologycomprehensively mitigates risk
Policies
Describe management expectations
-
8/14/2019 Infosec Base Concepts and Governance
111/157
Describe management expectations
Describe what is to be done
Should be aligned with high-level controlobjectives/intentions
Procedures
Describe the actions required to carry out
-
8/14/2019 Infosec Base Concepts and Governance
112/157
Describe the actions required to carry outpolicies
Describe the How to execute the policies
-
8/14/2019 Infosec Base Concepts and Governance
113/157
Dual Control
Two-Pieces of a key to open a door
-
8/14/2019 Infosec Base Concepts and Governance
114/157
Two Pieces of a key to open a door
Two people to execute a transaction
Additional signatures for processing
Audit
Policies, procedures, and standards not
-
8/14/2019 Infosec Base Concepts and Governance
115/157
Policies, procedures, and standards notbeneficial if not in use
Logs are required by auditors to ensurecontrols are consistently being implemented
Primary Concepts Least Privilege Segregation of Duty
Dual-Control Continual Repeatable
Least Privilege
Users should be given access only to resources
-
8/14/2019 Infosec Base Concepts and Governance
116/157
g ynecessary to carry out their job
Mitigates inappropriate disclosures
Enhances auditability
Should be used to help stakeholders defineaccess control requirements for an asset
OS HardeningLeast privilege
-
8/14/2019 Infosec Base Concepts and Governance
117/157
Only required services allowed Remove unnecessary services
Patching
Mitigate vulnerability affecting the environmentConsistency
Reduce Complexity
Limit types of vulnerabilities affecting theenvironment Minimize vulnerabilities present in the environment Stabilize a baseline
Racking & Stacking @ a 3 rd Party
How far up will they manage?
-
8/14/2019 Infosec Base Concepts and Governance
118/157
p y g Up to the rack?
OS & App threatsAbility to install countermeasures
Up to the OS?Can you deploy OS/Network Countermeasures?Patching strategies
What about non-Microsoft Applications? Up to the app?
AuditabilityLeast-Privilege
-
8/14/2019 Infosec Base Concepts and Governance
119/157
Ignorance is Risk
-
8/14/2019 Infosec Base Concepts and Governance
120/157
Manage by MeasurementThrough the Use of a Control
Framework
Security Risks & Exposures areGrowing
More than 35 million data records were
-
8/14/2019 Infosec Base Concepts and Governance
121/157
breached in 2008 in the United States-Theft Resource Center
Jan 20, 2009- Heartland Payment Systems-100 Million Transactions Per Month!http://www.2008breach.com/
252,276,206 records with personal informationsince January 1995 - www.privacyrights.org
Risk is a Business IssueIgnoring or misunderstanding financial risks played a
http://www.2008breach.com/http://www.privacyrights.org/http://www.privacyrights.org/http://www.2008breach.com/ -
8/14/2019 Infosec Base Concepts and Governance
122/157
substantial role in creating the world financial crisis in2008.
Organizations need to assess risk as part of cost-cuttingdecisions and should manage increased IT risks toprevent operation failures that will lead to further loss.
- Gartner, Managing IT Risks During Cost-Cutting Periods, October 22, 2008
Risk is a Business Issue (Cont.) CardSystems Solutions Inc.
Mid 2005 breach of 40 million credit cards.
-
8/14/2019 Infosec Base Concepts and Governance
123/157
Visa & Mastercard terminated their processing capability-they soon went under
35+ million data records were breached in 2008 in theUnited States-Theft Resource Center
Heartland Payment Systems
Jan 20, 2009
100 Million Transactions Per Month
http://www.2008breach.com 252,276,206 records with personal information since January
1995 -http://www.privacyrights.org
Risk Aware Risk Adverse
-
8/14/2019 Infosec Base Concepts and Governance
124/157
Risk Adversef
Risk Aware Vs. Risk AdverseRisk Aware
-
8/14/2019 Infosec Base Concepts and Governance
125/157
Avoids Discussions of RiskAvoids Responsibility for risks
No tracking or Analysis ofFeatures & Successes
Can't Learn From Mistakes; HighRepeat Failure Rates
Padded Budgets, Extended TimeLines, Surprise Overruns
Managers Assign Blame, Don't
Share the Risk
OK to Talk About RiskOk to Take Risks
Ok to Fail (if managing appropriately)
Success and failures tracked and
analyzedContinuous learning and improvementfor key processes
Realistic budgets and time lines that arecontinuously monitored
Enterprise is able to take on bigger risks2007 MIT Sloan Center for Information Systems Research & Gartner Inc.
Being Risk Aware Enables Agility & InnovationBeing Risk Aware Enables Agility & Innovation
Down Economy causing executivesto focus on profitability
-
8/14/2019 Infosec Base Concepts and Governance
126/157
3 ways to improveprofitability
Increase top-line sales Reduce COGS Optimize Operations
Optimize IT Bridge the gap between control
h l d
-
8/14/2019 Infosec Base Concepts and Governance
127/157
requirements, technical issues, andbusiness risk Use a portfolio approach to risk
management Manage by measurement Enable your organization to reap
maximum benefit from technologyinvestments
Regulation With Minimal Benefit
-
8/14/2019 Infosec Base Concepts and Governance
128/157
RedundantRequirements
Controls without clearbenefits
Overlappingand vague
requirementsCostly resourceallocation
Regulations
-
8/14/2019 Infosec Base Concepts and Governance
129/157
Increasing complexity
Resource intensive
Divert focus on maturing risk management
RegulatoryConvergenceOptimizeRemediation
Assert
C li
-
8/14/2019 Infosec Base Concepts and Governance
130/157
ComplianceSimultaneously
IT & Business Alignment- Are we communicating?
-
8/14/2019 Infosec Base Concepts and Governance
131/157
Agile CompetitiveAdvantage
Prudent
Implications
-
8/14/2019 Infosec Base Concepts and Governance
132/157
IT is meant toserve the business
IT must be aligned with businessgoals
IT is costly and
requires prudentmanagement
Become Proactive
Instill best-practice governance
-
8/14/2019 Infosec Base Concepts and Governance
133/157
Utilize a risk-management portfolio to guideremediation
Consolidate Regulations
-
8/14/2019 Infosec Base Concepts and Governance
134/157
Managing by Measurement
Leading the Trauma Unit
-
8/14/2019 Infosec Base Concepts and Governance
135/157
The Root Cause of
50 Case Studies130 Firms Surveyed2000+ Executives Refined
-
8/14/2019 Infosec Base Concepts and Governance
136/157
Governance- Specifying the decision rights andaccountability framework to encouragedesirable behavior in using IT.
- Peter Weill and Jeanne Ross, IT Governance: How Top Performers Manage IT Decisions Rights for Superior Results(Boston: Harvard Business School Press, 2004)
The Root-Cause of IT Risk -Lack of Governance
George Westerman & Richard Hunter, IT Risk; Turing Business Threats Into Competitive Advantage(Harvard Business School Press, 2007)
..Manifested as uncontrolled complexity, and inattention to risk.
-
8/14/2019 Infosec Base Concepts and Governance
137/157
Improve Risk Management
-
8/14/2019 Infosec Base Concepts and Governance
138/157
Risk ManagementProcess
Identify critical assets Define containers Identify risks & threats Quantify or qualify risks
Prioritize RemediationEfforts
Stop The Bleeding -Cauterize the Wounds
Identify & Collect Known Risks
Create a Remediation Portfolio
-
8/14/2019 Infosec Base Concepts and Governance
139/157
Create a Remediation Portfolio
Document the As-Is State
Stabilize the PatientClassify Known Risks
External Audits
Internal Audits
-
8/14/2019 Infosec Base Concepts and Governance
140/157
Internal Audits
Regulatory Audits
Vulnerability Assessments
Risk Assessments
Address AvailabilityFocus on Business Consequence
Consolidate Regulations
Identify Primary ControlsConfidentialityConfidentiality Integrity
-
8/14/2019 Infosec Base Concepts and Governance
141/157
AvailabilityAvailability AuditabilityAvailability Performance Measurement
Have a clear architectural direction /To-Be state
Conduct an IT
-
8/14/2019 Infosec Base Concepts and Governance
142/157
Assessment to identifyAs-Is State
Through planning
identify core strategiesand architecture
Manage byMeasurement
Seek Optimal Treatment Plan
Benefits of utilizingbest practices
-
8/14/2019 Infosec Base Concepts and Governance
143/157
best practices Enables external
expertise
Facilitatesbenchmarking Auditor familiarity
resulting in reducedcosts
Best Practice Control Objectives
-
8/14/2019 Infosec Base Concepts and Governance
144/157
Components of Controls
Defines a specific goal
Aligns with business objectives
-
8/14/2019 Infosec Base Concepts and Governance
145/157
Aligns with business objectives
Describes the focus required to manage
Summarizes how the goal will be achieved
Defines potential KPIs/KGIs
RACI Table
Communicate & Collaborate
-
8/14/2019 Infosec Base Concepts and Governance
146/157
Paradigms- 7 Habits of Highly Effective People- A man on a subway sees 2obnoxious children...
The sum is greater than theindividual pieces
-
8/14/2019 Infosec Base Concepts and Governance
147/157
Balanced Scorecards
Focus on 4 key paradigms Financial- Fiscal Measurements
-
8/14/2019 Infosec Base Concepts and Governance
148/157
Customer- Service Qualities Operations- Operational Efficiency & Agility
Learning & Growth- Fostering Growth & Innovation
Provides measurements based on key
customers being serviced
Balanced Scorecards
-
8/14/2019 Infosec Base Concepts and Governance
149/157
Strategy MapsDescribe the To-Be state graphically
-
8/14/2019 Infosec Base Concepts and Governance
150/157
Facilitate collaborationMinimize jargon
Collaborate
-
8/14/2019 Infosec Base Concepts and Governance
151/157
Leading & Lagging Indicators
Leading indicators Sales Targets
-
8/14/2019 Infosec Base Concepts and Governance
152/157
# of site visitors expected this year
Lagging indicators $ Closed Deals last month Visitors last year Amount a specific product has generated thus far
KPIs & KGIsA Key Goal Indicator, representing the process goal, is a measure of "what"has to be accomplished. It is a measurable indicator of the processachieving its goals, often defined as a target to achieve.
R i P fi bl
-
8/14/2019 Infosec Base Concepts and Governance
153/157
Remain Profitable Take over 15% market share in a territory
By comparison, a Key Performance Indicator is a measure of "how well" theprocess is performing.
% of Bench time for engineers - Riding the Pine # of opportunities in the pipeline
-
8/14/2019 Infosec Base Concepts and Governance
154/157
Prudent Management is not just forthe enterprise anymore
Governance has been slowly adopted in theSMB space
-
8/14/2019 Infosec Base Concepts and Governance
155/157
Perceived as an enterprise play ROI/CBA/NPV communication muddled with jargon
Talk to your audience- don't belaboracronyms and frameworks.
Focus on sound stewardshipprincipals.
-
8/14/2019 Infosec Base Concepts and Governance
156/157
Questions?
-
8/14/2019 Infosec Base Concepts and Governance
157/157
Jeromie Jackson- CISSP, [email protected]
619-368-7353-direct www.linkedin.com/in/securityassessment