Managing Network-related Risk for SMEs



Similar documents
FRAMEWORK. Continuous Process Improvement Risk, Information Security, and Compliance

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Network and Security Controls

74% 96 Action Items. Compliance

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

F G F O A A N N U A L C O N F E R E N C E

March

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

External Supplier Control Requirements

SPEAR PHISHING UNDERSTANDING THE THREAT

Consensus Policy Resource Community. Lab Security Policy

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Information Security Services

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Project Title slide Project: PCI. Are You At Risk?

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

HIPAA Compliance Evaluation Report

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Managing internet security

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

How To Manage Security On A Networked Computer System

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Verve Security Center

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

A Decision Maker s Guide to Securing an IT Infrastructure

Lot 1 Service Specification MANAGED SECURITY SERVICES

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

Stable and Secure Network Infrastructure Benchmarks

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Cyber Security for Start-ups: An Affordable 10-Step Plan

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Hands on, field experiences with BYOD. BYOD Seminar

Payment Card Industry Self-Assessment Questionnaire

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Achieving PCI-Compliance through Cyberoam

CompTIA Security+ (Exam SY0-410)

THE BLUENOSE SECURITY FRAMEWORK

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Critical Controls for Cyber Security.

Supplier Security Assessment Questionnaire

1B1 SECURITY RESPONSIBILITY

SECURITY CONSIDERATIONS FOR LAW FIRMS

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Threat Management: Incident Handling. Incident Response Plan

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

External Supplier Control Requirements

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Network Segmentation

Internet threats: steps to security for your small business

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Music Recording Studio Security Program Security Assessment Version 1.1

INFORMATION SECURITY California Maritime Academy

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Network/Cyber Security

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Security Management. Keeping the IT Security Administrator Busy

Data Center security trends

Risk Assessment Guide

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Incident Response. Proactive Incident Management. Sean Curran Director

IT Security Standard: Network Device Configuration and Management

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Networking for Caribbean Development

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Presented by: Mike Morris and Jim Rumph

N-Dimension Solutions Cyber Security for Utilities

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Central Agency for Information Technology

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Transcription:

Managing Network-related Risk for SMEs SANS Information Security Webcast 20 Mar 2012 Geneva, Switzerland version 1b Jim Herbeck Managing Partner, Nouvel Strategies JHerbeck@NouvelStrategies.com Member of Faculty, SANS Institute JHerbeck@sans.org SANS Webcast archive: https://www.sans.org/webcasts/managing-network-related-risk-smes-94944 Slide handout (English): http://nouvelstrategies.com/infosec-for-smes Slide handout (French): http://www.hesge.ch/heg/ccsie/ccsie_ressources.html 1 Welcome to the webcast! Java-based Elluminate platform - audio, whiteboard, interaction Interaction - polling: answer questions - emoticons: provide feedback - chat: ask questions After the webcast - replay webcast archive - download handout 2

Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 3 Managing risk vs. controlling risk Managing risk is jargon used by managers. Controlling risk is jargon used by auditors and finance people. Both mean essentially the same thing, however controlling risk has some semantic advantages: - defining control objectives to control risk. - defining controls to meet control objectives. 4

Review from previous webcast: Security controls, organized by category Function Administrative Technical Physical Description Decisions by management, personnel, legal, or purchasing. Also includes developing policies, standards, policies, or processes. Activities involving computer hardware, software, applications, or network infrastructure. Badges, gates, locks, alarms, or guards. 5 Review from previous webcast: Security controls, organized by action Action Preventative Deterrent Detective Corrective Recovery Description To stop the occurrence of undesirable events. To discourage the occurrence of undesirable events. To notice the occurrence of undesirable events. To respond to the occurrence of undesirable events, to prevent damage. To restore after damage caused by the occurrence of undesirable events. 6

Review from previous webcast: Security control matrix Administrative Technical Physical Preventative Deterrent Detective Corrective Recovery 7 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 8

Where can you find a pragmatic, business-oriented, standards-based list of network-related risk? CPI-RISC* Information Risk Framework originally released in 2010 defines 33 risk areas, organized into 7 business functions: - management - personnel - legal - facilities - finance - IT - purchasing based on ISO 27001, ISO 27002, and SANS 20 Critical Security Controls (v3.0) http://cpi-risc.org/ * CPI-RISC: Continuous Process Improvement Risk, Information Security, and Compliance 9 CPI-RISC* Information Risk Framework: ITS4 summarizes network-related risk Based on ISO 27001, ISO 27002, and SANS 20 Critical Security Controls (v3.0) A.10.6.1 (ISO 27001) or 10.6.1 (ISO 27002) A.10.6.2 (ISO 27001) or 10.6.2 (ISO 27002) A.11.4.1 (ISO 27001) or 11.4.1 (ISO 27002) A.11.4.5 (ISO 27001) or 11.4.5 (ISO 27002) A.11.4.6 (ISO 27001) or 11.4.6 (ISO 27002) A.11.4.7 (ISO 27001) or 11.4.7 (ISO 27002) SANS CC4 SANS CC5 SANS CC13 SANS CC14 SANS CC16 * CPI-RISC: Continuous Process Improvement Risk, Information Security, and Compliance 10

Summarized for civilians: Network-related risk As a result of inadequate network security or network flaws: - the risk of the loss of confidentiality or integrity of information resources - the risk of the inability to use network or network services 11 Controls for reducing network-related risk implementing a securely designed network implementing a securely designed wireless network implementing a securely designed network perimeter using secure network device configurations preventing unauthorized access to network services 12

What criteria are used to categorize network-related risks? Attack vector: - risks associated with network-based attacks Responsible person/third party: - risks managed by network manager/network service provider Control type: - risks managed with network equipment (routers, access points, firewalls, IDSs, IPSs, etc.) Doesn t include: - malicious software risk (controlled by system admins) - phishing risk (controlled by finance processes) 13 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 14

Why do we care about likelihood and severity? Likelihood of Occurrence High Medium Low Areas of Concern Low Medium High Severity of Impact / Consequences 15 istockphoto/luis Pedrosa What s the most serious network-related risk? unauthorized, remote access of information resources via the network - could compromise confidentiality - could compromise integrity - could compromise availability What s worse? undetected, unauthorized, remote access of information resources via the network - advanced persistent threat (APT) nightmare scenario 16

Realistically, what s the impact for an SME? direct loss: financial - ebanking username/password could be stolen. - Fraudulent invoices could be created and paid. indirect loss: embarrassment, loss of reputation, loss of customers, loss of income, legal penalties, SLA / contractual problems - Customer information could be stolen. - Network services could be modified (website defaced). - Network services could be interrupted (server crash). 17 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 18

What are the steps for controlling any risk? 1. Identify the risk. 2. Determine the risk management decision and define the control objectives. 3. Select controls to be used for achieving control objectives. - Choose a variety of control types. 4. Develop the plan for implementing controls. - Implementation plan may span multiple years. 19 Steps 1, 2, and 3: Controlling network-related risk 1. Identify risk - risk: attack via the network 2. Define decision / control objective - decision: to prevent attacks - control objective: to reduce the likelihood and severity of attack via the network 3. Select controls - implement a network policy - implement a securely designed network - implement a securely designed wireless network - implement a securely designed network perimeter - use secure network device configurations - prevent unauthorized access to network services 20

Implementing a Network Policy* [administrative/preventive control] To reduce the likelihood and severity of attack via the network: - A securely designed network shall be implemented. - A securely designed wireless network shall be implemented. - A securely designed network perimeter shall be implemented. - Secure network device configurations shall be used. - Access controls shall be used to prevent unauthorized access to network services. * Network Policy: network-related portion of the information security policy 21 Implementing a securely designed network and a securely designed wireless network [technical/preventive control] A network manager or network service provider should design and implement the organization s internal network: - determine security requirements for all network services - specify the appropriate use of: - encryption (router/switch/vpn concentrator) - network segmentation (router/switch) - network access control devices (firewall) The secure network plan and requirements should be documented. 22

Implementing a secure network perimeter [technical/preventive, technical/detective, technical/corrective control] A network manager or network service provider should design and implement the organization s connection to any external networks and the Internet: - determine security requirements for all network services - specify the appropriate use of: - encryption (router/switch/vpn concentrator) - network segmentation (router/switch) - network access control devices (firewall) - network proxy (router/switch/firewall) - network attack detection devices (IDS) - network attack response devices (IPS) The secure network plan and requirements should be documented. 23 Using secure network device configurations [technical/preventive, technical/detective, technical/corrective control] Ensure network device configurations correctly implement the security requirements. Ensure network devices themselves are resistant to attack. Good resource for SMEs: the Center for Internet Security benchmarks. http://www.cisecurity.org/ 24

Preventing unauthorized access to network services (inbound/ingress filtering) [technical/preventive, technical/detective control] Control inbound access to network services based on business requirements: - old way: black list (list of forbidden access/sites) - new way: white list (list of allowed access/sites) Monitor access logs to detect unauthorized access. 25 Preventing unauthorized access to network services (outbound/egress filtering) [technical/preventive, technical/detective control] Control outbound access to network services based on business requirements: - old way (black list) vs. new way (white list) Monitor access logs to detect unauthorized access. Good resource for SMEs: OpenDNS - controls external access by filtering DNS resolution - free entry level service http://www.opendns.com/ 26

Summarized for civilians: Controlling network-related risk 1. Write a network policy. 2. Proactively plan, implement, and manage secure network: - Define role for network management (internal/external). - Define and document security requirements for network and all network services. - Implement secure network (wired/wireless) according to requirements: - Include segregation, DMZ, proxies, firewalls, IDSs, or IPSs as required. 3. Implement network access control: - Write network access standard (network access policy) to define network access required by business applications and business processes. - Implement network access control on firewall and network devices according to network access standard. - Perform ingress and egress filtering. - Block access to ports/services/websites that don t have a documented business purpose. 27 Reviewing the control matrix: Has anything been missed? Administrative Technical Physical Preventative Deterrent Detective Corrective Recovery N/A [Access warnings] N/A [Incident plan] N/A [DRP plan] N/A [Backup plan] [Backup system] N/A 28

Step 4: Developing multi-year implementation plan Determine how many years your implementation plan will span. Based on constraints, plan what to implement each year: - implement preventive controls first Don t forget verifying control effectiveness: - network scanning and vulnerability assessment tools can verify if network access controls are working - the Center for Internet Security has benchmark scoring tools that can verify secure configurations 29 Agenda Initial words Defining network-related risk Likelihood and severity for SMEs Controlling network-related risk for SMEs Final words 30

Network-related risk is evolving. Is your information security program evolving? Cloud computing Social networking Instant messaging Data leakage / data loss prevention 31 Upcoming Webcasts for SMEs Apr, 2012 Managing Legal, Regulatory, and Compliance Risk for SMEs May, 2012 Managing System-related Risk for SMEs Jun, 2012 Managing Third Party Risk for SMEs 32

Managing Networkrelated risk for SMEs SANS Information Security Webcast 20 Mar 2012 Geneva, Switzerland version 1b Jim Herbeck Managing Partner, Nouvel Strategies JHerbeck@NouvelStrategies.com Member of Faculty, SANS Institute JHerbeck@sans.org SANS Webcast archive: https://www.sans.org/webcasts/managing-network-related-risk-smes-94944 Slide handout (English): http://nouvelstrategies.com/infosec-for-smes Slide handout (French): http://www.hesge.ch/heg/ccsie/ccsie_ressources.html 33

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information