Ernie Hayden CISSP CEH Executive Consultant

Transcription

1 Ernie Hayden CISSP CEH Executive Consultant

2 The Old Paradigm The New Philosophies What to Do? Discussion, Q&A

3 Herstmonceux Castle and Moat

4 h/images/full_illus014.jpg

5

6 Heartland Sony Sega WikiLeaks Etc.

7 Deborah Plunket NSA Information Assurance Directorate December 2010 (Note 1) computer systems must be built with the assumption that the adversaries will get in. Further: Most sophisticated attackers are going to go unnoticed on the NSA s networks Note 1: Will-Compromise-Networks /

8 January 2011 Recognition that you have been or will be breached.and protect your systems and data accordingly. This approach is more realistic and allows for more flexibility in protection of highvalue assets.

9 Mr. Kris Herrin, CTO, Heartland Payment Systems June 2011 the new approach by Heartland is to take all possible and practical steps to protect the data but they will assume the security systems and data can and have been breached. Herrin

10 More companies every day are acknowledging that in order to survive in this new era of attacks we all have to accept the fact that the bad guys are in our network. Period. RSA CONFERENCE EUROPE 2012 LONDON, OCTOBER 9, emc-at-glance/execteam/heiser.htm

11 Kirk Bailey University of Washington CISO 2003 Introduced everyone to the idea of assumption of breach It is not a matter of if but when. nology/13kirk.1.jpg

12 The Assumption of Breach is a new philosophy vs. what we were taught in Security 101 or our CISSP classes. This Requires: Board-Level Support CEO Support Recognition that the Key Data is the focus

13 Still Keep the Fortress Evidence of Due Care Recognize the Strainer Model Kirk Bailey Top 10 trainer/3.jpg

14 1. Implement a Risk Management Framework Repeatable, Demonstrates Trends 2. Conduct Asset Profiling and Inventory Know Where Your Crown Jewels Are Separate Out Critical and Non-Critical Data 3. Prioritize Assets and Related Risk-Mitigation Efforts Focus on the Crown Jewels 4. Incident Response Roles and Communications Plans

15 5. Implement Aggressive Risk Transfer Programs Through Detailed Contracts and Insurance Underwriting 6. Establish and Sustain Active and Strategic Alliances Allows for Effective and Trusted Cross- Communications About Threats, Mitigation Schemes and Lessons Learned Include Trusted Vendors and Security Providers 7. Implement a Business Intelligence Program Include Dashboards and Situational Awareness

16 8. Establish Advanced Incident Response and Management Think and Look Outside the Normal Cyber Incident Response Practices Example: Phishing Attacks on Executives 9. Practice Strategic Isolation and Enclaving of: Critical Data Key Executives, Scientists, Knowledge Workers Limit Presence on Social Networks 10. Consider an Active Response Capability

17

18 Unusually heavy network traffic Out of disk space or significantly reduced free disk space Unusually high CPU usage Creation of new user accounts Attempted or actual use of administrator-level accounts Locked-out accounts Account in-use when the user is not at work Cleared log files Full log files with unusually large number of events Antivirus or IDS alerts Disabled antivirus software and other security controls Unexpected patch changes Machines connecting to outside IP addresses Requests for information about the system (social engineering attempts) Unexpected changes in configuration settings Unexpected system shutdown. Pages 6-19 to 6-20

19 The new paradigm for utility information security: assume your security system has already been breached Asian Power Magazine Assumption of breach: How a new mindset can help protect critical data Search Security Magazine ssumption-of-breach-how-a-newmindset-can-help-protect-critical-data

20 Are you compromised but don t know it? PWC White Paper New SCADA Security Reality: Assume a Security Breach Tofino Security Blog

21 Ernie Hayden CISSP CEH Executive Consultant Securicon, LLC 1321 La Forest Drive SE North Bend, WA Phone: