Ministry of Science, People First, Performance Now Technology and Innovation Risk and Compliance Risk and Compliance Mark Hofman SANS Institute/Shearwater Solutions 06 November 2012
Ministry of Science, People First, Performance Now Technology and Innovation Agenda • The risks we face – How are we compromised o a e e co p o sed • The standards we face • Why do they fail? • Why do they fail? • How can they work? • What else is there?
Compliance != Security Security != Compliance Security != Compliance
Ministry of Science, People First, Performance Now Technology and Innovation The risks we face • Key loggers • Weak or stolen Credentials Weak or stolen Credentials • Data Exfiltration • Brute Force Attacks B t F Att k • Backdoors • Tampering • Social engineering Social engineering • Phishing http://xkcd.com/795/
Ministry of Science, People First, Performance Now Technology and Innovation The risks we face • Extortion • DOS/DDOS DOS/DDOS • SQLi • Internal Challenges – Complex systems Comple s stems • Non Compliance N C li with standards – Unknown Systems – Operational O ti l Challenges – Resourcing R i
Ministry of Science, People First, Performance Now Technology and Innovation How are we compromised? 1. Spear Phishing email – Based on google, facebook, linkedin or other social media and public information 2. Lateral movement 3. Consolidation within target environment 4 Identify and 4. Identify and exfiltrate data
Ministry of Science, People First, Performance Now Technology and Innovation How are we compromised? 1. Internet facing server compromise 2 Lateral movement 2. Lateral movement 3. Consolidation within target environment 4. Identify and exfiltrate data 4 Id tif d filt t d t Where do Standards fit? Where do Standards fit?
Ministry of Science, People First, Performance Now Technology and Innovation The Standards we face • Standards – ISO 27000 series SO 000 se es – PCI DSS – SOX/JSOX SOX/JSOX – COBIT – ITIL – ITIL – etc.. http://xkcd.com/927
Ministry of Science, People First, Performance Now Technology and Innovation 27000 Series ISO/IEC 27001 — Information security management systems — Requirements ISO/IEC 27002 — Code of practice for information security management ISO/IEC 27003 — Information security management system implementation guidance ISO/IEC 27004 — Information security management — Measurement ISO/IEC 27005 — Information security risk management ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27010 — Information technology -- Security techniques -- Information security management for inter-sector and inter organizational communications ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity ISO/IEC 27033-1 — Network security overview and concepts ISO/IEC 27033 1 Network security overview and concepts ISO/IEC 27035 — Security incident management ISO 27799 — Information security management in health using ISO/IEC 27002 ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system) ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls) ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 ISO/IEC 27014 — Information security governance framework ISO/IEC 27015 — Information security management guidelines for the finance and insurance sectors ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already) ISO/IEC 27034 — Guideline for application security ISO/IEC 27036 — Guidelines for security of outsourcing ISO/IEC 27036 G id li f it f t i ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence
Ministry of Science, People First, Performance Now Technology and Innovation 27001 ISO/IEC 27001 Information security management systems y g y – Risk Based Standard (Yours) Plan – High Level – Can certify against the standard Act Act Do – Has some required documents • • Security policy BCP Incident Response Plan and more Security policy, BCP, Incident Response Plan and more – Shades of grey are ok Check
Ministry of Science, People First, Performance Now Technology and Innovation PCI DSS PCI PCI PCI PCI PCI PCI PCI P2PE PCI P2PE PCI P2PE PCI P2PE PTS PTS DSS DSS PA-DSS PA-DSS • Risk Based Standard ( payment brands ) • Prescriptive • Black and white
Ministry of Science, People First, Performance Now Technology and Innovation SOX/COBIT/COSO/ITIL • Risk Based Standards ( Not necessarily yours ) Ri k B d St d d ( ) • Management frameworks Government Government • FISMA (USA) • Information Security Manual (AU)
Ministry of Science, People First, Performance Now Technology and Innovation
Ministry of Science, People First, Performance Now Technology and Innovation Why do they fail to protect? • ISO 27001 – Focus is on the management process ocus s o e a age e p ocess – Risks often not correctly identified – Not integrated into normal processes Not integrated into normal processes – Seen as a hindrance
Ministry of Science, People First, Performance Now Technology and Innovation Why do they fail to protect? • PCI DSS – Can be resource intensive Ca be esou ce e s e – Not integrated into normal processes – Ignores risks not specifically addressed by Ignores risks not specifically addressed by PCI DSS – Segmentation – Not using controls Not using controls to best advantage
Ministry of Science, People First, Performance Now Technology and Innovation Why do they not work? Tick Approach Addressing the standard not the basic security requirements the basic security requirements Not addressing real risks Prioritization
Ministry of Science, People First, Performance Now Technology and Innovation How can they work? • If you have to comply, make the standard work for you. y • The Security team(s) need to embrace the standard(s) • Operational teams need to embrace the standard(s) • Internal Audit teams need to work with the other • Internal Audit teams need to work with the other teams to make the standards work • Management needs to ask what can we get out of it?
Ministry of Science, People First, Performance Now Technology and Innovation How can they work? • Make sure processes fit with the organisation g • KISS Principle (not too much red tape) • KISS Principle (not too much red tape) • Assess risks regularly
Ministry of Science, People First, Performance Now Technology and Innovation How can they work? • Get the basics correct – Know what you are protecting o a you a e p o ec g – Know your systems and network Assess ssess Risks • Automate Monitor Monitor Select & R & R & Report & Report C Controls l Implement Implement Controls
Ministry of Science, People First, Performance Now Technology and Innovation What else is there ? • 20 Critical Controls http://www.sans.org/critical-security-controls/ • DSD 35 mitigating controls • Application Whitelisting • Application Whitelisting • Patch Applications www.dsd.gov.au • Patch Operating Systems Patch Operating Systems • Reduce privileged access
Ministry of Science, People First, Performance Now Technology and Innovation Questions ? Questions ? mhofman@shearwater.com.au Markh.isc@gmail.com
Recommend
More recommend
