Managing Network-related Risk for SMEs

Transcription

1 Managing Network-related Risk for SMEs SANS Information Security Webcast 20 Mar 2012 Geneva, Switzerland version 1b Jim Herbeck Managing Partner, Nouvel Strategies Member of Faculty, SANS Institute SANS Webcast archive: Slide handout (English): Slide handout (French): 1 Welcome to the webcast! Java-based Elluminate platform - audio, whiteboard, interaction Interaction - polling: answer questions - emoticons: provide feedback - chat: ask questions After the webcast - replay webcast archive - download handout 2

2 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 3 Managing risk vs. controlling risk Managing risk is jargon used by managers. Controlling risk is jargon used by auditors and finance people. Both mean essentially the same thing, however controlling risk has some semantic advantages: - defining control objectives to control risk. - defining controls to meet control objectives. 4

3 Review from previous webcast: Security controls, organized by category Function Administrative Technical Physical Description Decisions by management, personnel, legal, or purchasing. Also includes developing policies, standards, policies, or processes. Activities involving computer hardware, software, applications, or network infrastructure. Badges, gates, locks, alarms, or guards. 5 Review from previous webcast: Security controls, organized by action Action Preventative Deterrent Detective Corrective Recovery Description To stop the occurrence of undesirable events. To discourage the occurrence of undesirable events. To notice the occurrence of undesirable events. To respond to the occurrence of undesirable events, to prevent damage. To restore after damage caused by the occurrence of undesirable events. 6

4 Review from previous webcast: Security control matrix Administrative Technical Physical Preventative Deterrent Detective Corrective Recovery 7 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 8

5 Where can you find a pragmatic, business-oriented, standards-based list of network-related risk? CPI-RISC* Information Risk Framework originally released in 2010 defines 33 risk areas, organized into 7 business functions: - management - personnel - legal - facilities - finance - IT - purchasing based on ISO 27001, ISO 27002, and SANS 20 Critical Security Controls (v3.0) * CPI-RISC: Continuous Process Improvement Risk, Information Security, and Compliance 9 CPI-RISC* Information Risk Framework: ITS4 summarizes network-related risk Based on ISO 27001, ISO 27002, and SANS 20 Critical Security Controls (v3.0) A (ISO 27001) or (ISO 27002) A (ISO 27001) or (ISO 27002) A (ISO 27001) or (ISO 27002) A (ISO 27001) or (ISO 27002) A (ISO 27001) or (ISO 27002) A (ISO 27001) or (ISO 27002) SANS CC4 SANS CC5 SANS CC13 SANS CC14 SANS CC16 * CPI-RISC: Continuous Process Improvement Risk, Information Security, and Compliance 10

6 Summarized for civilians: Network-related risk As a result of inadequate network security or network flaws: - the risk of the loss of confidentiality or integrity of information resources - the risk of the inability to use network or network services 11 Controls for reducing network-related risk implementing a securely designed network implementing a securely designed wireless network implementing a securely designed network perimeter using secure network device configurations preventing unauthorized access to network services 12

7 What criteria are used to categorize network-related risks? Attack vector: - risks associated with network-based attacks Responsible person/third party: - risks managed by network manager/network service provider Control type: - risks managed with network equipment (routers, access points, firewalls, IDSs, IPSs, etc.) Doesn t include: - malicious software risk (controlled by system admins) - phishing risk (controlled by finance processes) 13 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 14

8 Why do we care about likelihood and severity? Likelihood of Occurrence High Medium Low Areas of Concern Low Medium High Severity of Impact / Consequences 15 istockphoto/luis Pedrosa What s the most serious network-related risk? unauthorized, remote access of information resources via the network - could compromise confidentiality - could compromise integrity - could compromise availability What s worse? undetected, unauthorized, remote access of information resources via the network - advanced persistent threat (APT) nightmare scenario 16

9 Realistically, what s the impact for an SME? direct loss: financial - ebanking username/password could be stolen. - Fraudulent invoices could be created and paid. indirect loss: embarrassment, loss of reputation, loss of customers, loss of income, legal penalties, SLA / contractual problems - Customer information could be stolen. - Network services could be modified (website defaced). - Network services could be interrupted (server crash). 17 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 18

10 What are the steps for controlling any risk? 1. Identify the risk. 2. Determine the risk management decision and define the control objectives. 3. Select controls to be used for achieving control objectives. - Choose a variety of control types. 4. Develop the plan for implementing controls. - Implementation plan may span multiple years. 19 Steps 1, 2, and 3: Controlling network-related risk 1. Identify risk - risk: attack via the network 2. Define decision / control objective - decision: to prevent attacks - control objective: to reduce the likelihood and severity of attack via the network 3. Select controls - implement a network policy - implement a securely designed network - implement a securely designed wireless network - implement a securely designed network perimeter - use secure network device configurations - prevent unauthorized access to network services 20

11 Implementing a Network Policy* [administrative/preventive control] To reduce the likelihood and severity of attack via the network: - A securely designed network shall be implemented. - A securely designed wireless network shall be implemented. - A securely designed network perimeter shall be implemented. - Secure network device configurations shall be used. - Access controls shall be used to prevent unauthorized access to network services. * Network Policy: network-related portion of the information security policy 21 Implementing a securely designed network and a securely designed wireless network [technical/preventive control] A network manager or network service provider should design and implement the organization s internal network: - determine security requirements for all network services - specify the appropriate use of: - encryption (router/switch/vpn concentrator) - network segmentation (router/switch) - network access control devices (firewall) The secure network plan and requirements should be documented. 22

12 Implementing a secure network perimeter [technical/preventive, technical/detective, technical/corrective control] A network manager or network service provider should design and implement the organization s connection to any external networks and the Internet: - determine security requirements for all network services - specify the appropriate use of: - encryption (router/switch/vpn concentrator) - network segmentation (router/switch) - network access control devices (firewall) - network proxy (router/switch/firewall) - network attack detection devices (IDS) - network attack response devices (IPS) The secure network plan and requirements should be documented. 23 Using secure network device configurations [technical/preventive, technical/detective, technical/corrective control] Ensure network device configurations correctly implement the security requirements. Ensure network devices themselves are resistant to attack. Good resource for SMEs: the Center for Internet Security benchmarks. 24

13 Preventing unauthorized access to network services (inbound/ingress filtering) [technical/preventive, technical/detective control] Control inbound access to network services based on business requirements: - old way: black list (list of forbidden access/sites) - new way: white list (list of allowed access/sites) Monitor access logs to detect unauthorized access. 25 Preventing unauthorized access to network services (outbound/egress filtering) [technical/preventive, technical/detective control] Control outbound access to network services based on business requirements: - old way (black list) vs. new way (white list) Monitor access logs to detect unauthorized access. Good resource for SMEs: OpenDNS - controls external access by filtering DNS resolution - free entry level service 26

14 Summarized for civilians: Controlling network-related risk 1. Write a network policy. 2. Proactively plan, implement, and manage secure network: - Define role for network management (internal/external). - Define and document security requirements for network and all network services. - Implement secure network (wired/wireless) according to requirements: - Include segregation, DMZ, proxies, firewalls, IDSs, or IPSs as required. 3. Implement network access control: - Write network access standard (network access policy) to define network access required by business applications and business processes. - Implement network access control on firewall and network devices according to network access standard. - Perform ingress and egress filtering. - Block access to ports/services/websites that don t have a documented business purpose. 27 Reviewing the control matrix: Has anything been missed? Administrative Technical Physical Preventative Deterrent Detective Corrective Recovery N/A [Access warnings] N/A [Incident plan] N/A [DRP plan] N/A [Backup plan] [Backup system] N/A 28

15 Step 4: Developing multi-year implementation plan Determine how many years your implementation plan will span. Based on constraints, plan what to implement each year: - implement preventive controls first Don t forget verifying control effectiveness: - network scanning and vulnerability assessment tools can verify if network access controls are working - the Center for Internet Security has benchmark scoring tools that can verify secure configurations 29 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 30

16 Network-related risk is evolving. Is your information security program evolving? Cloud computing Social networking Instant messaging Data leakage / data loss prevention 31 Upcoming Webcasts for SMEs Apr, 2012 Managing Legal, Regulatory, and Compliance Risk for SMEs May, 2012 Managing System-related Risk for SMEs Jun, 2012 Managing Third Party Risk for SMEs 32

17 Managing Networkrelated risk for SMEs SANS Information Security Webcast 20 Mar 2012 Geneva, Switzerland version 1b Jim Herbeck Managing Partner, Nouvel Strategies Member of Faculty, SANS Institute SANS Webcast archive: Slide handout (English): Slide handout (French): 33