Managing a security program (when you are not a security expert)

Managing a Security Program(when you are not a security expert)

An Information Security Road Trip

Javed Ikbal

2016 ROCKY MOUNTAIN SUMMIT

2

This session is for you…• If you do not have an IT or Information

Security background– But are tasked with running an information

security program, or,– You are responsible for a critical piece of

information security or audit in your organization– Or you want to know what the big deal is.

• If your company already has a mature information security program, this may not be for you


3

Learning Objectives• This is not a technical session.• A roadmap is presented– Common Potholes / road closures / rogue

drivers will be pointed out (when possible)• After completion, you will be able to:– Understand the map– Figure out where you are– Predict a time to get to your destination– Estimate the gas and food needed to get

there 2016 ROCKY MOUNTAIN SUMMIT

4

So you can avoid becoming a headline

• 97% of breaches were avoidable through simple or intermediate controls.– Easy improvements can make big differences

• 79% of victims were targets of opportunity.– Make it harder for the bad guys

• 85% of breaches took weeks or more to discover.– Breaches happen. Find them early

• 92% of incidents were discovered by a third party.– Don’t end up on the front page of a newspaper

(before your CEO knows about it)



6

What is information security?

• Limit access to authorized people only

• Ensure those authorized people can access the information when needed

• Prevent unauthorized modification


7

The basic necessities• Prerequisites for a successful

information security program:–Management support (the fuel and food)• A written, approved information security

program • Budget!• Tone from the top

– Policies (the traffic rules/laws)


8

The Fuel• Without management support, it is tough to be

successful• Create a business case by using what drives

management:– REPUTATION, REGULATION, REVENUE

• Written information security program (WISP)– Not a policy– More a narrative of your security posture– Describes the elements of your security program– http://

www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf

– http://www.buchananassociates.com/Buchanan-Associates-Sample-Template-Written-Information-Security-Plan-WISP.pdf


http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf



http://www.buchananassociates.com/Buchanan-Associates-Sample-Template-Written-Information-Security-Plan-WISP.pdf




9

The Traffic Laws• Acceptable Use Policy– If you don’t have one, fix it ASAP.– https://

www.sans.org/security-resources/policies/general/doc/acceptable-use-policy

• A badly written policy could be dangerous– Do not include something that you cannot

enforce– Do not fill it up with legalese 2016 ROCKY MOUNTAIN SUMMIT

https://www.sans.org/security-resources/policies/general/doc/acceptable-use-policy




10

The Traffic Laws• Information Security Policy

– http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTEd3%20pdf

• Password Protection Policy– https://

www.sans.org/security-resources/policies/general/doc/password-protection-policy

• Information / Risk Classification– https://uit.stanford.edu/guide/riskclassifications

• Vendor / 3rd party Security Requirements– http://

www.brighthorizons.com/suppliercenter/baseline-third-party-security-requirements


http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTEd3%20pdf

http://www.ucisa.ac.uk/~/media/Files/publications/toolkits/ist/ISTEd3%20pdf

https://www.sans.org/security-resources/policies/general/doc/password-protection-policy



https://uit.stanford.edu/guide/riskclassifications

https://uit.stanford.edu/guide/riskclassifications

http://www.brighthorizons.com/suppliercenter/baseline-third-party-security-requirements



11

Leaving a laptop in the car?• Conduct a data inventory– What data do you have?– Where does it live?– What protections should be in place?– What protections are in place?


12

Teach the kids to not talk to strangers


13

Stranger Danger• Phishing• Ransomware• W-2 scam• Awareness is the best bang for the

buck


14

Teach the kids 9-1-1• What happens when something goes

bad?– Do you have an incident response plan?– Remember the inventory?

• Do breach notification laws apply?• What jurisdictions?

– Who does what in a breach?– Can you contact the team when needed?– Who is authorized to declare an “incident”?– Who is authorized to talk to the media?– Who is authorized to call law enforcement?


15

Is there a spare tire?• Do you have backups?• Are the backups protected as well as

the primary data?• When long ago was the last backup?

(Recovery Point Objective: RPO)• How long will it take to become

operational? (Recovery Time Objective: RTO)


16

Oil change? Coolant? Recall notice?• How often do you install security

patches?• What do you patch?• How soon do you install a new patch?• Do you monitor security bulletins?


17

Did I lock the doors?• What are the physical security

controls?• Are your servers in a secure location?• Do we have video surveillance of

entry/exit points?• Do we have logs of entry to all secure

locations?• Are users trained to not let in

strangers?2016 ROCKY MOUNTAIN SUMMIT

18

Lunch options: Chain or Local?• Security begins (and sadly, often ends)

at your vendor• Do your due diligence• Require security measures appropriate

to the risks


19

Did we turn off the oven?• Center for Internet Security Critical

Controls:– https://

www.cisecurity.org/critical-controls.cfm – Technical help needed to implement these,

but understanding them does not require a technical background


https://www.cisecurity.org/critical-controls.cfm



20

Critical Security Controls• CSC 1: Inventory of Authorized and

Unauthorized Devices• CSC 2: Inventory of Authorized and

Unauthorized Software• CSC 3: Secure Configurations for Hardware

and Software on Mobile Device Laptops, Workstations, and Servers

• CSC 4: Continuous Vulnerability Assessment and Remediation

• CSC 5: Controlled Use of Administrative Privileges

• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs

• CSC 7: Email and Web Browser Protections• CSC 8: Malware Defenses• CSC 9: Limitation and Control of Network

Ports, Protocols, and Services

• CSC 10: Data Recovery Capability • CSC 11: Secure Configurations for Network

Devices such as Firewall Routers, and Switches

• CSC 12: Boundary Defense• CSC 13: Data Protection• CSC 14: Controlled Access Based on the

Need to Know• CSC 15: Wireless Access Control• CSC 16: Account Monitoring and Control• CSC 17: Security Skills Assessment and

Appropriate Training to Fill Gaps• CSC 18: Application Software Security• CSC 19: Incident Response and

Management• CSC 20: Penetration Tests and Red Team

Exercises


21

Where are we?• Start with the critical controls, and score

your company on each item1: Initial. Processes are unpredictable. Not much documentation.2. Managed: Processes are documented, but not always followed. Often reactive.3. Defined: Processes are documented and proactive.4. Quantitatively managed: Processes measured and controlled5. Optimized: Continuous process improvement


22

Are we there yet?• “How long” is a tough question– From 1 to 2: 6-12 months– From 2 to 3: 12-18 months– From 3 to 4: 18 months

• Depends on how much money and effort you want to throw at the problem

• Secure your doors (perimeter network) first• Awareness and patching are quick wins• Then the engine (applications and databases)


23

Car making strange noise?• If you have one or more “initial” that is a

bad sign.• “Managed” is barely acceptable

(depends on your industry)• “Defined” or “Quantitatively Managed”

is where we should be.• “Optimized” is a lofty goal, but can be

attained.


24

The maintenance schedule• NIST Cybersecurity framework– http://

www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

• There are other frameworks– The one from NIST is free– And it is pretty good– If you do business with the Federal

government, you might be forced to use this


http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf



25

The maintenance schedule


26

When you are the mechanic• If you are auditing vendors or clients:

– Review policies– Ask questions based on data types and risks (inventory)– You can use Google’s questionnaire:

• https://vsaq-demo.withgoogle.com/ • https://github.com/google/vsaq

– Ask for evidence– Ask if they have implemented:

• Critical controls• A security framework• Ask for evidence

– Repeat based on risk (1 year / 3 year)2016 ROCKY MOUNTAIN SUMMIT

https://vsaq-demo.withgoogle.com/

https://github.com/google/vsaq

27

Information Security: brakes?• A car can travel fast if the driver knows

it has good brakes• Information security has the same

function: it enables the business• Policies and standards are the lane

markings and guardrails– Just like their road equivalent, they can’t

stop people from going off the road• Our job is to keep people in the marked

lanes2016 ROCKY MOUNTAIN SUMMIT


Questions

Technology

Managing a security program (when you are not a security expert)