9 Risk Management Risk Identification Process Risk Mitigation Stage Active Controls Administrative Controls Process Controls Technical Controls Financial Controls Plan on Doing Nothing Contingency Plans Passive Controls
10 Measure acceptable risk? Cost ($) Optimal Level of Security At Minimum Cost Total Cost Cost of Security Countermeasures Cost of Security Breaches 0% Security Level 100% Internet Security Alliance July 2002/Data from Dr. William M. Hancock, Exodus, A Cable and Wireless Service
11 !" # % # "
12 Attack Sophistication vs. Intruder Technical Knowledge High Intruder Knowledge Attack Sophistication Low back doors disabling audits self-replicating code password guessing sniffers sweepers exploiting known vulnerabilities password cracking hijacking sessions Cross site scripting stealth / advanced scanning techniques packet spoofingdenial of service burglaries distributed attack tools www attacks automated probes/scans GUI network mgmt. diagnostics Intruders by Carnegie Mellon University Auto Coordinated Staged Tools
13 Types of IT Security Disaster Planning Network Disruption: prey upon an organization s lack of security or detection capability. Examples are DOS attacks or p/w guessing. Considerations: Operational disruption testing Vignette: Attack on world s root DNS infrastructure
14 Network-Based IT Security Disaster Considerations: VOIP?
15 Network-Based IT Security Disaster Considerations: VOIP? :!" " Secure DMZ-to-Internal Network Nomenclature Block any incoming packet of any type that has an internal IP address as its source address. (protects against spoofing) Allow in any TCP packet that s part of an established connection. (maintains corporate internet use policy) Allow in any TCP packet that s explicitly addressed to on port 80. (protects against spoofing) Block any other incoming TCP packets and log them to the router s display. (protects opportunistic reconnaissance / entry) How does this look for VOIP / Extranet Service Providers w/o VPN?
16 Network-Based IT Security Disaster Considerations: VOIP?
17 Network-Based IT Security Disaster Considerations: VOIP? ;<" 98 ( Have you conducted a single-point-of-failure analysis prior to adopting VoiP? Because some VoIP services do not work during power outages, do you have a continuity plan in place to provide back-up power in the event of an outage? Do you have a way to connect with emergency services? Have you considered the dangers of leveraging a single technology the Internet and thereby creating problems with a single point of failure? Have you installed adequate controls to mitigate the availability risks associated with VoIP? Are you protecting yourself against eavesdropping, spoofed IP addresses, and inauthentic data packets flooding your server? Have you considered the dangers of replay attacks? Are you monitoring traffic and restricting it to a select group of IP addresses? Do you require VoIP devices to authenticate each other before communication starts? Do you use TLS to provide a secure communication channel? Do you encrypt communications using SRTP? What is your level of redundancy for web connectivity?
18 Types of IT Security Disaster Planning Network Disruption: prey upon an organization s lack of security or detection capability. Examples are DOS attacks or p/w guessing. Considerations: Operational disruption testing Vignette: Large retail store Malicious Code Malicious Code: characterized by the insertion of malicious code into an organization s infrastructure. Examples are worms and viruses. Considerations: Alternate Site Anti-Virus, Filtering Vignette: Large national bank in leveraging HA
19 Malicious-Code IT Security Disaster Considerations: XML?
20 Network-Based IT Security Disaster Considerations: XML? ;<" = > ( Is XML affecting your network performance or application server performance? Do you have a plan in place to address a denial-of-service attack which could take down your network by flooding your server with XML messages? Do you have security measures in place to scan XML files for malicious code? Is your company depending on XML creating a single point of failure? Is your proprietary corporate data being compromised by XML? Are you validating Web Services Description Language? Are you doing all you can to validate data between the sender and receiver?[li1] Do you know which applications currently installed or planned use XML? Have you considered cryptography or patch management solutions? Are you familiar with XML acceleration appliances? Are you familiar with binary XML and its potential benefits/risks? Can SML-migration be a consideration for your XML-based communications?
21 Types of IT Security Disaster Planning Network Disruption: prey upon an organization s lack of security or detection capability. Examples are DOS attacks or p/w guessing. Considerations: Operational disruption testing Vignette: Large retail store Malicious Code: characterized by the insertion of malicious code into an organization s infrastructure. Examples are worms and viruses. Considerations: Alternate Site Anti-Virus, Filtering Vignette: Large national bank in leveraging HA Vulnerability Management: Vulnerability Management: exploit specific technical weaknesses inherent in the infrastructure itself. Worms, patch mgmt, etc Considerations: Patch Management (including Alt. Site) Vignette: Cisco Source Code, SNMP
22 Types of IT Security Disaster Planning Network Disruption: prey upon an organization s lack of security or detection capability. Examples are DOS attacks or p/w guessing. Considerations: Operational disruption testing Vignette: Large retail store Malicious Code: characterized by the insertion of malicious code into an organization s infrastructure. Examples are worms and viruses. Considerations: Alternate Site Anti-Virus, Filtering Vignette: Large national bank in leveraging HA Vulnerability Management: exploit specific technical weaknesses inherent in the infrastructure itself. Worms, patch mgmt, etc Considerations: Patch Management (including Alt. Site) Vignette: Small e-business wholesaler Criminal / Compliance Criminal / Compliance : finite, deliberate attacks that use a combination of exploits (i.e. administrative, process, financial) to achieve a highly desired goal. Also consider government enforcement actions. Considerations: Internal Penetration Testing / Forensics Provider Vignette: Small NY non-profit company
23 Types of IT Security Disaster Planning
24 Traditional Disaster Recovery Site Considerations Network Connectivity Hardware Operating Systems Mission-critical Applications Additional Security Considerations for Recovery Sites Anti-Virus Protection Firewalls and Access Control Rules Router Control List IDS VPN and Authentication Tokens Content Filtering Forensics and Diagnostic Tools Operating System and Application Security Patches
26 Business Drivers for Info Availability :!! - Need to become more effective more efficiently - Security, BC/DR, & IT programs are often disconnected & overlapping = Inefficient??"100/" -Need for information / guidance supporting IT governance,asking questions such as: - What should be defined in repeatable process? - What is an appropriate level of detail? - What should be measured? What should be automated? - What is Best Practice? Is there a certification available? - Organizations more aware of service continuity & related risks - Virtues of dependability, reliability & resilience as an integral part of an organization s business culture and value proposition - Address continuity issues as standard operating policy, instead of addressing them as an added-cost item - Accepting the costs of fully tested continuity plans and rock-solid SLAs as the price of remaining viable within your industry
27 Information Availability Assessment People Processes Technology Information Security Information Architecture Information Management Regulatory / Industry Compliance! 8
28 ! 3 Domains: Info Security; Info Management; Info Architecture 5 Competencies within each domain 150 Attributes DOMAINS Information Security (A) Information Management (B) Information Architecture (C) Policies, Procedures, and Regulatory Compliance Management Controls Facility and Environmental Infrastructure COMPETENCIES Architecture & Project Management Access Control / Organizational Skills Information Management Continuity of Services Network Design Systems Design Awareness, Education, and Training Maintainability Component Architecture (Data/Voice) Exposure Analysis and Reporting Metrics Performance Measurements Information Accessibility Documentation
30 !" Averages Info Info Security Rating: 27% 27% Policies, Policies, Procedures: Procedures: 27% 27% Architecture Architecture& PM: PM: 40% 40% Access Access Control: Control: 12% 12% Awareness/Education: 19% 19% Exposure Exposure Analysis: Analysis: 37% 37% 0.00 Policies / Procedures & Compliance Architecture & Project Mgmt Access Control / Org'l Skills Awareness / Education Exposure Analysis & Me trics Sample Strengths: A high-level Information Security Policy, along with some supporting Securityrelated policies and standards, exist at ABC Corporation. Firewalls, Intrusion Detection, Virus Detection, and internal Vulnerability Assessments software and/or services are in place. Additionally, anti-virus is deployed and used at the server, SMTP, and desktop levels. WAN and LAN design has included resiliency considerations. ABC Corporation contracts with external third parties for routine audits of the security environment.
31 ) 8! Domain Attribute Recommendation Summary Impact Effort Cost Action Priority IS A.1.1 Audit and Improve Information Security Policies High Low Low 1 IS A.1.1 A.1.2 Framework for Policy Administration, Review, and Enforcement High Low Low 1 IS A.2.1 Conduct an Enterprise Risk Assessment High Low Low 1 IS A.2.2 Improve and Implement Information Security Management Model High Low Low 1 IS A.3.4 Formalize Process for Status Changes and Terminations High Low Low 1 IS A.3.5 Improve Password Practices High Low Low 1 IS A.3.6 Improve Workstation Security Practices High Low Low 1 IS A.4.8 A.4.9 Encourage IT Security Professional Development High Low Low 1 IM B.1.3 Establish a formal Information Availability Awareness Training Program High Med Low 1 IM B.1.4 Where applicable, establish formal SLAs with supporting vendors Med Low Low 1 IM B.1.5 Establish formal procedures for responding to changes to existing policies, procedure and guidance and their subsequent distribution. Med Low Low 1 IM B.2.4 Formally document Service Level Objectives (SLOs) with System Administrators and end users. High Low Low 1 IM B.3.6 Establish a formal communications plan for internal and external audiences during recovery operations. High Low Low 1
33 CIO Issues Technology Business Processes Products and Services Strategy & Governance Evolving Role of the CIO Manage technology Automate business processes Enable new products and services Participate in executive management role
34 ! " 8" 5 Wall Street firms - $8+ Million fine Banc of America Securities - $10Million penalty for Document Production Failures $37 Million fine Symbol Technologies accounting fraud (+ 11 executives) $25 Million penalty Lucent Technologies for accounting fraud $240 Million settlement for 5 specialist firms
35 6 Interconnected Economy Governance & Management CIO Privacy & Info Security Liability for IT Failures
36 7!! FFIEC & OCC Banking Securities Act of 1934 GLB Financial HIPAA Sarbanes Public Companies Securities SEC 17a4 & & Business Continuity Information Security Information Content Mgmt.
37 8!! Identify critical back office activities and systems that support them. (business process, not just technology.) Drive planning and testing activities to meet appropriate RTOs Maintain sufficient geographically dispersed resources to meet recovery objectives (staff, equipment and data.) Routinely test recovery and resumption arrangements with emphasis on connectivity with major counter-parties and arrangements with third party providers.
38 !" 9" Regulatory Agency: RTO Expectation: Interagency White Paper Clearing & Settling intraday: 2 4 hours SEC Policy Statement Trading Markets next business day SEC & NASD/NYSE Policy Securities Firms variable RTO s permitted, but customer-notified SLAs
39 6 #".A+0B.A10%6C 7"//, Drafted August, 2002 Approved by SEC April 7, 2004 Member firms must have documented business continuity plans. Annual review is required and senior officer is responsible. Why? To bring self-regulated organizations into line with regulated financial sector. Goal is to enable members to meet existing obligations to customers, other broker dealers and counterparties. NASD: 5600 members, branches
40 7! # NASD Rule 3520 Emergency Contacts All Firms June 14, 2004 NASD Rule 3510 Business Continuity Plans Clearing Firms August 11, 2004 Introducing Firms September 10, 2004 NYSE Rule 446 Business Continuity Plans August 5, 2004
41 @" ( Rule emergency contacts Senior management & registered principal Reviewed quarterly or when material change Rule 3510 Documented business continuity plan Senior management approval Outside repository Copy filed with NASD*** Customer disclosure
42 +0! Data back-up and recovery (hard copy & electronic) 2. All mission critical systems 3. Financial and operational assessments 4. Alternate communications between customers and the member 5. Alternate communications between the member and its employees 6. Alternate physical location of employees 7. Critical business constituents, banks, and counter-party impact 8. Regulatory reporting 9. Communications with regulators 10. How the member will assure customers prompt access to their funds and securities in the event that the member determines it is unable to continue its business People, Processes and Technology
43 ! Newly Added Language: Every NASD and NYSE member also will be required to disclose to its customers a summary of its business continuity plan that addresses how the member intends to respond to potential disruptions of varying scope.
44 "#!" When? At time of account opening Available on request by mail Posted on web site (if applicable) Not yet widely known by business side or IT Clear opportunity to open conversation with clients
45 "#!" Recovery Time Objectives (RTOs) for multiple scenarios Firm only Building only District only City only Regional Planned Response Stated intention to continue business Back-up facilities and arrangements such as: Voice response system Online trading Alternate call center/telephone contact Access to accounts Significant 3 rd Party relationships such as: Clearing and settling Outsourced front end/back office processing
46 "! Crisis Control Team Who has the authority to execute? Emergency contact information Alternate Command Center Alternate means of communication Action Plan Media control plan Provisions for : Legal Human Resources Finance
47 64- # 8"! Why Sarbanes-Oxley? Enron 7 th largest company in US record growth through June st restatement October 2001 Bankrupt by December 2001 Worldcom - $11Billion in restated earnings
48 48" Ensure the integrity and transparency of US capital markets Restore checks and balances for corporate governance and ethical corporate behavior Restore reputation for rectitude of the SEC Senator Paul Sarbanes, May 2004
49 '!! Section Certification CEO and CFO must certify their financial statements Deadline: in effect now Section 404 Internal Controls Auditors must certify internal controls and processes in addition to financial numbers Deadline: extended to Nov 15, 2004 Section 409- Disclosure Companies must provide real time disclosure of material events that might effect performance, real time reporting (including changes/events relating to internal controls) Deadline: August 2004 (NEW accelerated date)
50 !" ( Industry: Buy Side Sell Side Gramm-Leach- Bliley Federal White Paper SEC Trading Markets NASD 3510 NYSE 446 SEC 17a4 Sarbanes Oxley Clearing Bank (BONY e.g.) brokerage? Large Brokerage (Prudential/Wa chvia Sec e.g.) If > 5% share Market Data Feed? (Reuters e.g.) 3 rd Party IT Business Services EDS e.g.
51 Bank of New York: IWP 2 Hr RTO, business recovery (workgroup),network and connectivity to value chain GLB info security & business continuity NASD 3510 business continuity, customer SLAs SEC17a4 electronic archiving incl. and IM relating to customer accounts if brokerage Sarbanes info security, electronic archiving for workpapers/messages relating to financial statements FFIEC/OCC (retail) business continuity, improved test results, info security, 3 rd party supervision
52 Industry: Healthcare Gramm- Leach-Bliley HIPAA Sarbanes Oxley Insurance (Aetna e.g.) Hospitals (Tenet Healthcare e.g.) Large Group Practice Not unless publicly held
53 " Utility FERC, NERC, Sarbanes if public Physical and info security, business continuity, incident response Annual certification Electronic records retention Pharmaceutical FDA Title 21, Sarbanes, HIPAA Info security, business continuity, records retention
54 Review of Industry Trends & Forecasts!" # $% & ' ( ) "" (!%
55 Carl Herberger SunGard Availability Services Sr. Director, Information Security Professional Services Wayne, PA
56 Treasure Trove of Information BB * *"*!B"!B D8B
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
FOREWORD A key component in protecting a nation s critical infrastructure and key resources (CIKR) is the security of control systems. WHAT ARE CONTROL SYSTEMS? Supervisory Control and Data Acquisition
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
Invensys is now White Paper Cyber Security Authors: Ernest Rakaczky, Director of Process Control Network Security, Invensys Paul Dacruz, Vice President, Power Industry Solutions What s Inside: 1. Introduction
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
FIRST Site Visit Requirements and Assessment Document originally produced by CERT Program at the Software Engineering Institute at Carnegie Mellon University And Cisco Systems PSIRT Revision When Who What
INFORMATION TECHNOLOGY User Standards and Guidelines Manual May 2010 Division of Information Technology http://www.palmbeachschools.org/it/security.asp Table of Contents 1. Introduction... 4 2. Definitions...
Harvard Medical School Information Security Policy Contents: I. Access Control... 4 II. Fixed Password Management... 4 III. Third Party Disclosures... 5 IV. Dissemination of Information... 5 V. Establishing
THE OFFICE OF ENTERPRISE TECHNOLOGY STRATEGIES Statewide Technical Architecture Implementation Guidelines: Red Hat Enterprise Linux Implementation Guidelines: Red Hat Enterprise Linux Revised Date: Version:
PeopleSoft Red Paper Series Securing Your PeopleSoft Application Environment July 2010 Including: How to Plan for Security How to Secure Customized System Exposing PeopleSoft outside the Firewall Securing
White Paper: Managed Network Services Trends for Today s Enterprise Organizations Released December 2010 Spacenet Inc 1750 Old Meadow Road McLean, VA 22102 www.spacenet.com 866-480-2263 1 Table of Contents
The Impact of Electronically Stored Information on Corporate Legal and Compliance Management White paper The impact of electronically stored information on corporate legal and compliance management: An
Wireless Local Area Network (LAN) Security Guideline Noor Aida Idris Mohamad Nizam Kassim Securing Our Cyberspace 2 To say a system is secure because no one is attacking it is very dangerous (Microsoft
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
GAO United States General Accounting Office May 2004 TECHNOLOGY ASSESSMENT Cybersecurity for Critical Infrastructure Protection GAO-04-321 May 2004 TECHNOLOGY ASSESSMENT Highlights of GAO-04-321, a report
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n G o v e r n a n c e a n d I n t e r n a l C o n t r o l C O S O I N T H E C Y B E R A G