Risk and Compliance Risk and Compliance Mark Hofman SANS - - PowerPoint PPT Presentation

People First, Performance Now Ministry of Science, Technology and Innovation

Risk and Compliance Risk and Compliance

Mark Hofman SANS Institute/Shearwater Solutions

06 November 2012

People First, Performance Now Ministry of Science, Technology and Innovation

Agenda

• The risks we face

– How are we compromised

• a e

e co p o sed

• The standards we face
• Why do they fail?
• Why do they fail?
• How can they work?
• What else is there?

Compliance != Security Security != Compliance Security != Compliance

People First, Performance Now Ministry of Science, Technology and Innovation

The risks we face

• Key loggers
• Weak or stolen Credentials

Weak or stolen Credentials

• Data Exfiltration

B t F Att k

• Brute Force Attacks
• Backdoors
• Tampering
• Social engineering

Social engineering

• Phishing

http://xkcd.com/795/

People First, Performance Now Ministry of Science, Technology and Innovation

The risks we face

• Extortion
• DOS/DDOS

DOS/DDOS

• SQLi

N C li

• Internal Challenges

Comple s stems

• Non Compliance

with standards

– Complex systems – Unknown Systems O ti l – Operational Challenges R i – Resourcing

People First, Performance Now Ministry of Science, Technology and Innovation

How are we compromised?

• 1. Spear Phishing email

– Based on google, facebook, linkedin or other social media and public information

• 2. Lateral movement
• 3. Consolidation within target environment

4 Identify and

• 4. Identify and

exfiltrate data

People First, Performance Now Ministry of Science, Technology and Innovation

How are we compromised?

• 1. Internet facing server compromise

2 Lateral movement

• 2. Lateral movement
• 3. Consolidation within target environment

4 Id tif d filt t d t

• 4. Identify and exfiltrate data

Where do Standards fit? Where do Standards fit?

People First, Performance Now Ministry of Science, Technology and Innovation

The Standards we face

• Standards

– ISO 27000 series SO 000 se es – PCI DSS – SOX/JSOX SOX/JSOX – COBIT – ITIL – ITIL – etc..

http://xkcd.com/927

People First, Performance Now Ministry of Science, Technology and Innovation

27000 Series

ISO/IEC 27001 — Information security management systems — Requirements ISO/IEC 27002 — Code of practice for information security management ISO/IEC 27003 — Information security management system implementation guidance ISO/IEC 27004 — Information security management — Measurement ISO/IEC 27005 — Information security risk management ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems ISO/IEC 27010 — Information technology -- Security techniques -- Information security management for inter-sector and inter organizational communications ISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuity ISO/IEC 27033-1 — Network security overview and concepts ISO/IEC 27033 1 Network security overview and concepts ISO/IEC 27035 — Security incident management ISO 27799 — Information security management in health using ISO/IEC 27002 ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system) ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls) ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 ISO/IEC 27014 — Information security governance framework ISO/IEC 27015 — Information security management guidelines for the finance and insurance sectors ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet) ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already) ISO/IEC 27034 — Guideline for application security ISO/IEC 27036 G id li f it f t i ISO/IEC 27036 — Guidelines for security of outsourcing ISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence

People First, Performance Now Ministry of Science, Technology and Innovation

27001

ISO/IEC 27001 Information security management systems y g y

– Risk Based Standard (Yours) – High Level

Plan

– Can certify against the standard – Has some required documents

• Security policy BCP Incident Response Plan and more

Do Act Act

• Security policy, BCP, Incident Response Plan and more

– Shades of grey are ok

Check

People First, Performance Now Ministry of Science, Technology and Innovation

PCI DSS

PCI P2PE PCI P2PE PCI PCI PCI PCI PCI PCI PCI P2PE PCI P2PE PTS PTS PA-DSS PA-DSS DSS DSS

• Risk Based Standard (payment brands)
• Prescriptive
• Black and white

People First, Performance Now Ministry of Science, Technology and Innovation

SOX/COBIT/COSO/ITIL

Ri k B d St d d ( )

• Risk Based Standards (Not necessarily yours)
• Management frameworks

Government Government

• FISMA (USA)
• Information Security Manual (AU)

People First, Performance Now Ministry of Science, Technology and Innovation

People First, Performance Now Ministry of Science, Technology and Innovation

Why do they fail to protect?

• ISO 27001

– Focus is on the management process

• cus s o

e a age e p ocess – Risks often not correctly identified – Not integrated into normal processes Not integrated into normal processes – Seen as a hindrance

People First, Performance Now Ministry of Science, Technology and Innovation

Why do they fail to protect?

• PCI DSS

– Can be resource intensive Ca be esou ce e s e – Not integrated into normal processes – Ignores risks not specifically addressed by Ignores risks not specifically addressed by PCI DSS – Segmentation – Not using controls Not using controls to best advantage

People First, Performance Now Ministry of Science, Technology and Innovation

Why do they not work?

Tick Approach Addressing the standard not the basic security requirements the basic security requirements Not addressing real risks Prioritization

People First, Performance Now Ministry of Science, Technology and Innovation

How can they work?

• If you have to comply, make the standard

work for you. y

• The Security team(s) need to embrace the

standard(s)

• Operational teams need to embrace the

standard(s)

• Internal Audit teams need to work with the other
• Internal Audit teams need to work with the other

teams to make the standards work

• Management needs to ask what can we get out of

it?

People First, Performance Now Ministry of Science, Technology and Innovation

How can they work?

• Make sure processes fit with the
• rganisation

g

• KISS Principle (not too much red tape)
• KISS Principle (not too much red tape)
• Assess risks regularly

People First, Performance Now Ministry of Science, Technology and Innovation

How can they work?

• Get the basics correct

– Know what you are protecting

• a you a e p o ec

g – Know your systems and network

Assess

• Automate

ssess Risks Select C l Monitor & R Monitor & R Controls Implement & Report & Report Implement Controls

People First, Performance Now Ministry of Science, Technology and Innovation

What else is there?

• 20 Critical Controls

http://www.sans.org/critical-security-controls/

• DSD 35 mitigating controls
• Application Whitelisting
• Application Whitelisting
• Patch Applications
• Patch Operating Systems

www.dsd.gov.au

Patch Operating Systems

• Reduce privileged access

People First, Performance Now Ministry of Science, Technology and Innovation

Questions ? Questions ?

mhofman@shearwater.com.au Markh.isc@gmail.com