Through the Security Looking Glass. Presented by Steve Meek, CISSP

Transcription

1 Through the Security Looking Glass Presented by Steve Meek, CISSP

2 Agenda Presentation Goal Quick Survey of audience Security Basics Overview Risk Management Overview Organizational Security Tools Secure By Design By the numbers Resources About The Fulcrum Group, Inc. Question and Answers

3 Goal Briefly cover content applicable to developers AND technology leaders related to security Arm listeners with language to interact with computer networking and security teams Exchange thoughts, suggestions and advice with other participants Increase security throughout the entire organization

4 Survey How many people are developers? How many DBAs? Networking oriented people? Security focused practitioners? Organization sizes? Bound by any compliances? What do you hope to gather from discussion today? Any general security questions you d like me to try and weave into content?

5 Security Principles Confidentiality- Allowing only authorized subjects access to information Integrity- Allowing only authorized subjects to modify information Availability- Ensuring that information and resources are accessible when needed

6 Security Governance Security Governance is the organizational processes and relationships for managing risk Policies, Standards, Procedures, Guidelines, Baselines Organizational Structures Roles and Responsibilities

7 Information Classification Classification requires policies and procedures how data is categorized. Determines how it is accessed, updated, protected, recovered and managed, in accordance with specific application requirements Sensitivity (Public, Private) Recovery Time Objective (RTO) Department Age Ownership Other??

8 Risk Management Risk Management is identifying, evaluating, and mitigating risk to an organization It s a cyclical, continuous process Need to know what you have Need to know what threats are likely Need to know how and how well it is protected Need to know where the gaps are What you identify Assets Threats/Threat-sources Vulnerabilities- Weaknesses Controls- Safeguard

9 Risk Management Likelihood- probability that a risk can occur Impact- potential effect on the organization Identify inherent and residual risk in the high/high RED areas Resources always limited so prioritize actions there first Risk can never be completely eliminated

10 Understanding security structure Example- Physical Security What are the physical security tools for protecting your house? Doors Alarm Dog Windows Motion Sensor Gun Locks Crime Watch Police Fence Monitoring Insurance Protect Detect Respond

11 Structure in IT terms Protect Detect Respond Administrative Executive help set IT Policy Procedures Log reviews Monitoring Assessments Awareness Prog. Security person IT training Physical Locks/keycard Security cameras Security guard Technical Firewall Anti-virus Patching Password Policy IDS Secure new sites IPS BC/DR Plan Group Policy Sometimes referred to as layering security or defense in depth

12 Security by Organization Size Company Sizes Security Categories Security Posture Appropriate server and share permissions Currently following good design, but could be tuned up Basic anti-spyware standards Currently following good design Basic anti-virus standards (file and ) Currently following good design, AV needs to be updated and tuned some Basic Group Policy settings Basic policy in place Basic Physical Security Secured server room and IDF, receptionist partially greets people on third Password protect network backups Not aware of password protection Process to disable and delete old accounts in AD Currently following, but some old or missed accounts when I checked SOHO 5-15 Use of groups and roles in Active Directory Currently following good design Anti-SPAM tools in place Currently following good design Basic Internet filtering Currently following good design Basic logging server for domain and devices Not aware of central syslog or event log server Basic wireless security enforced at office Currently following good design Encryption of PII data at rest Not aware of any tool, could be helpful Firewall and gateway protection Currently following good design Patch management Currently following good design, saw some minor server issues, but could RADIUS for multi-factor authentication Have IAS set up on DCs, looks configured for ASA SSL used to secure website traffic Currently following good design VPN for secured remote access Currently following good design Small Written Acceptable Use Policy Started policy but not implemented, not sure of executive buy-in?

13 Security by Organization Size Company Sizes Security Categories Security Posture Annual Security Audit Not aware of any practice in place Application and web firewalls Not aware of any tool, have several public facing applications Application security testing Not aware of any practice in place Data classification Not efforts to go through data classification Data Loss Prevention Systems Not aware of any tool in place Data Retention Policy No official policy established Device control (including USB) Not aware of any tool in place vaulting for compliance Not aware of any tool in place Encrypt backups Not aware of any tool in place Encrypted data in motion/databases Not aware of any tool in place Intrusion detection/prevention Not aware of any tool in place IT Governance Policy (more complete) Have to get basic AUP in place first Network Access Control Not aware of any tool in place Monthly/ Quarterly/ Annual security scans Not aware of any tool in place Medium Separate guest and internal wireless, advanced control Not needed from discussions Annual Security Audit or Risk Assessment Not aware of any practice in place Business Impact Assessment for DR planning Not aware of any practice in place Colocation/offsite facility for recovery Considering locating some at a remote branch Compliance Officer (for industry) Legal provides some compliance work DR/BC plan Not aware of any practice in place archival with discovery and search Not aware of any tool in place Monthly security scans Not aware of any practice in place Security Event Management solution Not aware of any tool in place Separation of IT duties Not aware of any practice in place Medium to Enterprise 251+ Single-sign on Not aware of any tool in place

14 Secure by Design Software being designed from the ground up to be secure. Security is about regulating access to assets (systems, data, databases, intelligence) Software development can provide core functionality that is inherently dangerous self-service analytics, grabbing data from disparate systems, mobile applications (bi-directional), BI in the cloud (Amazon RedShift, Google BigQuery), offline support for applications growth of access to unstructured data Secure software development process model at Microsoft.

15 Secure by Design The Open Web Application Security Project is an online community dedicated to web application security. They provide information on secure development of web applications and even publish things like the Top Ten list of most common attacks on web applications. OWASP 2013 The Top 10 Most Critical Web Application Security Risks

16 Secure by Design The Cloud Security Alliance (CSA) promotes the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. CLOUD SECURITY ALLIANCE Expanded Top Ten Big Data Security and Privacy Challenges, April 2013

17 Secure by Design Database security should provide controlled, protected access to the contents of your database and, in the process, preserve the integrity, consistency, and overall quality of your data. Access Control- The primary method used to protect data is limiting access to the data Row level security- Controlling access to database tables or columns is frequently required and can be enacted by simply granting privileges to one of these objects. Restricting access to data contained in individual records (rows) requires additional steps. Application Access Assessment- Create security matrix to provide a visual depiction of the correlation between the operations or authorizations needed for database objects and input/output sources such as forms and reports Database Vulnerability- As more and more databases are made accessible via the Internet and webbased applications, their exposure to security threats will rise. Database Inference- Inference, or the ability to derive unknown information based on retrieved information. Use controls related to queries (suppression) or controls related to individual items in a database (concealing). Auditing- Auditing can be used to identify who accessed database objects, what actions were performed, and what data was changed. Backups- Protecting backups of data or encrypting backups Lack of consistency in operational management- Develop a consistent practice in looking after their databases, staying aware of threats and making sure that vulnerabilities are taken care of.

18 By the numbers Security statistics (2012 data breach investigations report) 70% of breaches originated in Eastern Europe; 25% of breaches originated in North America (24x7 businesses) Most data breaches caused by external attacks (organized crime, activist groups, former employees, lone hackers, organizations sponsored by foreign governments) Hacking and malware both were on the rise (81% and 69% vs. 50% and 49% in 2010) Insider incidents declined to 4% of all attacks this year Third parties detected 92% of all breaches 95% of records lost included personal information (up from 1% in 2010) Networks compromised for extended periods of time ONLY 8% OF BREACHES DISCOVERED INTERNALLY

19 Resources- Security Curriculum ISC2 s 10 Domains of Security Access Control Telecommunications and Network Security Information Security and Risk Management Applications Security Cryptography Security Architecture and Design Operations Security Business Continuity Planning and Disaster Recovery Planning Legal Regulation and Compliance Physical (Environmental Security)

20 Resources- Compliance for Organizations Federal Information Processing Standards (FIPS)- adhere to the same guidelines regarding security and communication Gramm-Leach-Bliley Act (GLBA) protect consumers personal financial information Health Insurance Portability and Accountability Act (HIPAA)- regulations for the use and disclosure of any information concerning individual health care Health Information Technology for Economic and Clinical Health (HITECH)- addresses the privacy and security concerns associated with the electronic transmission of health information Payment Card Industry Data Security Standard (PCI DSS)- standard for protecting cardholder information Sarbanes-Oxley- security, accuracy and the reliability of the systems that manage and report financial data.

21 Resources- Links NIST 800 Series Publications Microsoft Security Development Lifecycle (SDL) Microsoft Business Intelligence and Security %20Intelligence%20and%20Security.aspx MS-SQL- Securing the Tabular BI Semantic Model Open Web Application Security Project (OWASP) The Cloud Security Alliance (CSA) Imperva Database Security

22 Summary Understand the language of security Use it to communicate with related teams Understand risk management and structured security approaches Make security and tools appropriate for your organization Secure your environment by paying attention to application development, web security, database security and cloud impacts Understand security vectors from reports Use resources to understand better strategies to protect yourself Get a good nights sleep

23 About The Fulcrum Group, Inc. Business-Focused Company incorporated in 2002 Have clients in Fort Worth/Dallas over fifteen years See ourselves as a service provider first Principals highly experienced technologists AND business people SPOT outsourced IT support program