Security Triage una valutazione della sicurezza efficiente e compatibile con il ciclo aziendale, l'esperienza di Poste Italiane

Transcription

1 Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Security Triage una valutazione della sicurezza efficiente e compatibile con il ciclo aziendale, l'esperienza di Poste Italiane Fabio Massacci & M. Giacalone, R. Mammoliti, F. Paci, R. Perugino, C. Selli Trento, 10 ottobre

2 Security Triage una gestione della sicurezza efficiente e compatibile con il ciclo aziendale, l'esperienza di Poste Italiane v. 1.3a 2

3 Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Organizzatori e sponsor evento Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di 3

4 Fabio Massacci Fabio Massacci è professore ordinario di Ingegneria dell'informazione all'univ. di Trento. Per UNITN è stato delegato del rettore per la Direzione Informatica per 7 anni e vice-director for education per l Italia dell'european Institute of Technology - ICT Labs. Collabora all'innovation Lab di Poste Italiane a Trento. Ha più di 150 pubblicazioni (h-index >30) e gestisce numerosi progetti di ricerca tra accademia-industria su security management, security economics, e sull'impatto dei progetti di ricerca sull'innovazione. E' socio ISACA dal 2008 ed ha scritto sull'isaca Journal su security management e compliance. 4

5 ABSTRACT Poste Italiane is a large corpora-on offering integrated services in banking and savings, postal services, and mobile communica-on. Every year, it receives thousands of change requests for its ICT services. Applying to each and every request a security assessment ``by the book' (being it COBIT, ISO27001, BSI, IAS etc.) is simply not possible. We report the experience by Poste Italiane of a lean methodology to iden-fy security requirements that can be inserted in the produc-on cycle of a normal company. The process is based on surveying the overall IT architectures Security surveying and then a lean dynamic process Security Triage to evaluate individual change requests, so that important changes get the asen-on they need, minor changes can be quickly implemented, and compliance and security obliga-ons are met. 5

6 Poste Italiane Largest Italian Employer banking, financial services, logis4c 19 Billion Euro turnaround, employees Security and Compliance Regula-ons European Banking Regula4on, EU Privacy Laws, Credit Cards PCI, Criminal Laws (PI serves legal no4ces), etc. etc. Thousands Services, Apps and Servers Every month 150+ change requests to IT Dept. Every year change requests 6

7 An Example Internal Web Site for Tracking Parcels Includes an authen4cated web- app to monitor single events Requests (together with 200 other changes) 1. Create a Dashboard on the screen 2. Add a field about nature of parcel (e.g. private customer, parking fine, legal no4ce, etc.) 3. Create a buton to export Dashboard result to excel Apparently not a major security problem 7

8 Change Implications are not obvious Internal Web Site for Tracking Parcels Includes an authen4cated web- app to monitor single events à not a big security problem Requests (together with 200 other changes) 1. Create a Dashboard on the screen 2. Add field about nature of parcel ( private customer, parking fine, legal no4ce, credit card ) 3. Create a buton to export Dashboard result to excel They do no have the same implica-ons! (2) makes data relevant to Judicial Proceedings profile à whole slate of security regula4ons applies 8

9 Security Assessment by the book (Security) Assessment is essen-al Proper Requirements analysis saves significant money Security should be considered from the early phases Bla bla, Blu Blu, ISO 27001, NIST , COBIT, BSI, IAS, EBIOS, Input: Effort + Assessment Method Iden4fy Assets à Threats and Risks à Security Controls Ouput: Security Requirements for IT Systems Ques-on: does Security Assessment always empirically deliver value? 9

10 Back of the Envelope Computation change requests x ISO questions x 300 on process/people + 16 on information on applications on Sw components on infrastructures on facilities 3minute each > minutes Divide 60min x 40 hours week x 48 weeks = 52 Full- -me equivalent/year à just for asking (and the work?) 10 10

11 Security Analysis by the book (ISO 27001, COBIT, BSI etc.) cannot empirically deliver value at the pace of change Get over it! but what is the alternative? v. 1.3a 11

12 Key Ideas NOT every change request deserves equally good (Security) Requirement analysis Triage, noun, medicine the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of pa4ents or casual4es. Survey, verb, architecture examine and record the area and features of (a large area of land) so as to construct a map, plan, or descrip4on. 12

13 Security Triage + Survey Security Survey (off- line = lengthy) Build map of IT architecture (more than UML diagram!) à assign business/security perimeter (heart a(ack, stroke, mild concussion etc.) à iden4fy rela4ve requirements (adrenaline shot, NMR scan, paracetamol, etc.) Security Triage (on- the- fly = quick) Make high level ques4ons on change requests à assess cri4cal features (chest pain, slurred speech, etc.) à decide order of security treatment (Red = Full SRE) 13

14 Questions for the Triage For every change requests security experts support change owner Ask what kind of of data you have and whether a compromise in ú Confiden4ality, Integrity, Availability (how lbig), Lead to an impact on Reputa4on, Financial losses, commercial hedge (against compe44on), legal obliga4ons, opera4onal efficiency FEW simple ques-ons for the change owner E.g. X hour of down4me (availability) may lead to a minor/ major/significant/business cri4cal loss of reputa4on Security experts determine security perimeters and cri-cality (1-5) based on answers 14

15 Empirical Measures Does it saves -me? Does it correctly iden-fy perimeters? That s not obvious à the actual ques-ons makes a huge difference If change owners don t understand ques4ons they are call back the security team to answer If you ask wrong ques4ons Change owner may 4ck no security analysis needed Wilcoxon- test says yes Mean of Effort to Perform the Security Assessment High D05 D16 ISRM D17 D04 D08 D06 D09 C5 C1 D12 D03 D10 D18 High Medium D13 D20 D15 C2 C3 Medium D21 C4 Low D01 D14 Medium Low D11 D22 D19 D07 DEPT ANALYSIS IMPACT Factors 15

16 Key Takeaways (Security) Triage determines which requests get high quality Assessment and which ones default one (Security) Survey background for decision (avoid overkilling and underes4ma4ng) providing template assessment dynamically updated ader each change requests It empirically works! And can be adopted on every change requests Pilot: from days/request à 5 days/request and shrinking 16

17 Grazie per l attenzione! Poste Italiane S&T htp:// DistreTo Cybersecurity ú htp:// University of Trento - Security htp://securitylab.disi.unitn.it Fabio.Massacci@unitn.it Seconomics Project ú htp:// 17