Upload
jikbal
View
185
Download
0
Embed Size (px)
Citation preview
Managing a Security Program(when you are not a security expert)
An Information Security Road Trip
Javed Ikbal
2016 ROCKY MOUNTAIN SUMMIT
2
This session is for you…• If you do not have an IT or Information
Security background– But are tasked with running an information
security program, or,– You are responsible for a critical piece of
information security or audit in your organization– Or you want to know what the big deal is.
• If your company already has a mature information security program, this may not be for you
2016 ROCKY MOUNTAIN SUMMIT
3
Learning Objectives• This is not a technical session.• A roadmap is presented– Common Potholes / road closures / rogue
drivers will be pointed out (when possible)• After completion, you will be able to:– Understand the map– Figure out where you are– Predict a time to get to your destination– Estimate the gas and food needed to get
there 2016 ROCKY MOUNTAIN SUMMIT
4
So you can avoid becoming a headline
• 97% of breaches were avoidable through simple or intermediate controls.– Easy improvements can make big differences
• 79% of victims were targets of opportunity.– Make it harder for the bad guys
• 85% of breaches took weeks or more to discover.– Breaches happen. Find them early
• 92% of incidents were discovered by a third party.– Don’t end up on the front page of a newspaper
(before your CEO knows about it)
2016 ROCKY MOUNTAIN SUMMIT
2016 ROCKY MOUNTAIN SUMMIT
6
What is information security?
• Limit access to authorized people only
• Ensure those authorized people can access the information when needed
• Prevent unauthorized modification
2016 ROCKY MOUNTAIN SUMMIT
7
The basic necessities• Prerequisites for a successful
information security program:–Management support (the fuel and food)• A written, approved information security
program • Budget!• Tone from the top
– Policies (the traffic rules/laws)
2016 ROCKY MOUNTAIN SUMMIT
8
The Fuel• Without management support, it is tough to be
successful• Create a business case by using what drives
management:– REPUTATION, REGULATION, REVENUE
• Written information security program (WISP)– Not a policy– More a narrative of your security posture– Describes the elements of your security program– http://
www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf
– http://www.buchananassociates.com/Buchanan-Associates-Sample-Template-Written-Information-Security-Plan-WISP.pdf
2016 ROCKY MOUNTAIN SUMMIT
9
The Traffic Laws• Acceptable Use Policy– If you don’t have one, fix it ASAP.– https://
www.sans.org/security-resources/policies/general/doc/acceptable-use-policy
• A badly written policy could be dangerous– Do not include something that you cannot
enforce– Do not fill it up with legalese 2016 ROCKY MOUNTAIN SUMMIT
10
The Traffic Laws• Information Security Policy
– http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTEd3%20pdf
• Password Protection Policy– https://
www.sans.org/security-resources/policies/general/doc/password-protection-policy
• Information / Risk Classification– https://uit.stanford.edu/guide/riskclassifications
• Vendor / 3rd party Security Requirements– http://
www.brighthorizons.com/suppliercenter/baseline-third-party-security-requirements
2016 ROCKY MOUNTAIN SUMMIT
11
Leaving a laptop in the car?• Conduct a data inventory– What data do you have?– Where does it live?– What protections should be in place?– What protections are in place?
2016 ROCKY MOUNTAIN SUMMIT
12
Teach the kids to not talk to strangers
2016 ROCKY MOUNTAIN SUMMIT
13
Stranger Danger• Phishing• Ransomware• W-2 scam• Awareness is the best bang for the
buck
2016 ROCKY MOUNTAIN SUMMIT
14
Teach the kids 9-1-1• What happens when something goes
bad?– Do you have an incident response plan?– Remember the inventory?
• Do breach notification laws apply?• What jurisdictions?
– Who does what in a breach?– Can you contact the team when needed?– Who is authorized to declare an “incident”?– Who is authorized to talk to the media?– Who is authorized to call law enforcement?
2016 ROCKY MOUNTAIN SUMMIT
15
Is there a spare tire?• Do you have backups?• Are the backups protected as well as
the primary data?• When long ago was the last backup?
(Recovery Point Objective: RPO)• How long will it take to become
operational? (Recovery Time Objective: RTO)
2016 ROCKY MOUNTAIN SUMMIT
16
Oil change? Coolant? Recall notice?• How often do you install security
patches?• What do you patch?• How soon do you install a new patch?• Do you monitor security bulletins?
2016 ROCKY MOUNTAIN SUMMIT
17
Did I lock the doors?• What are the physical security
controls?• Are your servers in a secure location?• Do we have video surveillance of
entry/exit points?• Do we have logs of entry to all secure
locations?• Are users trained to not let in
strangers?2016 ROCKY MOUNTAIN SUMMIT
18
Lunch options: Chain or Local?• Security begins (and sadly, often ends)
at your vendor• Do your due diligence• Require security measures appropriate
to the risks
2016 ROCKY MOUNTAIN SUMMIT
19
Did we turn off the oven?• Center for Internet Security Critical
Controls:– https://
www.cisecurity.org/critical-controls.cfm – Technical help needed to implement these,
but understanding them does not require a technical background
2016 ROCKY MOUNTAIN SUMMIT
20
Critical Security Controls• CSC 1: Inventory of Authorized and
Unauthorized Devices• CSC 2: Inventory of Authorized and
Unauthorized Software• CSC 3: Secure Configurations for Hardware
and Software on Mobile Device Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections• CSC 8: Malware Defenses• CSC 9: Limitation and Control of Network
Ports, Protocols, and Services
• CSC 10: Data Recovery Capability • CSC 11: Secure Configurations for Network
Devices such as Firewall Routers, and Switches
• CSC 12: Boundary Defense• CSC 13: Data Protection• CSC 14: Controlled Access Based on the
Need to Know• CSC 15: Wireless Access Control• CSC 16: Account Monitoring and Control• CSC 17: Security Skills Assessment and
Appropriate Training to Fill Gaps• CSC 18: Application Software Security• CSC 19: Incident Response and
Management• CSC 20: Penetration Tests and Red Team
Exercises
2016 ROCKY MOUNTAIN SUMMIT
21
Where are we?• Start with the critical controls, and score
your company on each item1: Initial. Processes are unpredictable. Not much documentation.2. Managed: Processes are documented, but not always followed. Often reactive.3. Defined: Processes are documented and proactive.4. Quantitatively managed: Processes measured and controlled5. Optimized: Continuous process improvement
2016 ROCKY MOUNTAIN SUMMIT
22
Are we there yet?• “How long” is a tough question– From 1 to 2: 6-12 months– From 2 to 3: 12-18 months– From 3 to 4: 18 months
• Depends on how much money and effort you want to throw at the problem
• Secure your doors (perimeter network) first• Awareness and patching are quick wins• Then the engine (applications and databases)
2016 ROCKY MOUNTAIN SUMMIT
23
Car making strange noise?• If you have one or more “initial” that is a
bad sign.• “Managed” is barely acceptable
(depends on your industry)• “Defined” or “Quantitatively Managed”
is where we should be.• “Optimized” is a lofty goal, but can be
attained.
2016 ROCKY MOUNTAIN SUMMIT
24
The maintenance schedule• NIST Cybersecurity framework– http://
www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
• There are other frameworks– The one from NIST is free– And it is pretty good– If you do business with the Federal
government, you might be forced to use this
2016 ROCKY MOUNTAIN SUMMIT
25
The maintenance schedule
2016 ROCKY MOUNTAIN SUMMIT
26
When you are the mechanic• If you are auditing vendors or clients:
– Review policies– Ask questions based on data types and risks (inventory)– You can use Google’s questionnaire:
• https://vsaq-demo.withgoogle.com/ • https://github.com/google/vsaq
– Ask for evidence– Ask if they have implemented:
• Critical controls• A security framework• Ask for evidence
– Repeat based on risk (1 year / 3 year)2016 ROCKY MOUNTAIN SUMMIT
27
Information Security: brakes?• A car can travel fast if the driver knows
it has good brakes• Information security has the same
function: it enables the business• Policies and standards are the lane
markings and guardrails– Just like their road equivalent, they can’t
stop people from going off the road• Our job is to keep people in the marked
lanes2016 ROCKY MOUNTAIN SUMMIT
2016 ROCKY MOUNTAIN SUMMIT
Questions