Cascading Risk. Tom Kellermann, CISM VP of Security Awareness. Core Security Technologies

Transcription

1 Cascading Risk Tom Kellermann, CISM VP of Security Awareness Core Security Technologies

2 The Evolution of the Threat Syndicates and the business model Internet Arms Bizarre Online fraud is 83X higher than trad. 9 out of 10 businesses impacted (FBI 2005) $ Million in shareholder losses (CRS)

3 in the digital age

4 Information Security Program Links in the Security Chain: Management, Operational, and Technical Controls Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Physical security Personnel security Certification, accreditation, and security assessments Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Firewalls and network security mechanisms Intrusion detection systems Security configuration settings Anti-viral software Vulnerability & Penetration assessments This slide was produced by Dr. Ron Ross of NIST

5 NIST SA-9 Third-party Providers are subject to the same information system security polices and procedures of the supported organization and must conform to the same security control and documentation requirements as would apply to the organizations internal systems.

6 Lessons Learned Conduct ongoing oversight of the third party (TP) and their activities; Secure Outsourcing Agreement (SOA)--Verify that the legal requirements to which the service provider is contractually obligated, are compatible with your organization s definition of adequate security; Identify who in the service provider organization is responsible for security oversight, e.g., CSO or CISO; Verify that they do routinely conduct penetration and vulnerability tests to their systems with predetermined best of breed tools; Encourage the identification of undisclosed TP agreements e.g. subcontracting and subsequent penalties;

7 Lessons Learned Continued Confirm that their policies and agreements regarding security breaches include customer notification on a timely basis; Verify whether they have layered security as outlined in the Twelve Layer Matrix; Confirm that the service provider has adequate backup facilities; Maintain strong termination clauses for lack of due diligence.

8 Key Questions Has your organization established policies to restrict, control, and monitor systems access by vendors and contractors? Do outsourced personnel sign non-disclosure agreements? If outsourcing/contracting certain services, are the security controls under direct authority of your CIO within the contract? Has the entity undergone a penetration test? Have the discovered vulnerabilities been remediated?

9 8 ELEMENTS of an SOA Security Audits Physical Security Web Security Data Security Network Security Host Security Encryption (minimum 128bit) Incident Response

10 The Golden Rules Be aware that in the aquatic environment that is the internet, you partners network and your hosting company s networks are symbiotic. Harden the target; Layered security. Develop an enterprise-wide information security strategy and game plan. Establish level of due diligence for information security. Mandate annual cybersecurity training for all senior managers on all ends of the data stream. Strong supplier management. SOA/AUDIT Do not abdicate your responsibility to manage their security posture.

11 ADDITIONAL INFORMATION To learn more: Website: Resource: See a flash demo of Core s penetration testing tool below. Tom Kellermann: tom.kellermann@coresecurity.com