Ernie Hayden CISSP CEH Executive Consultant
The Old Paradigm The New Philosophies What to Do? Discussion, Q&A http://ptcdigitalworld.wikispaces.com/file/view/14.jpg/91941753/964x515/14.jpg
Herstmonceux Castle and Moat http://www.geograph.org.uk/photo/1530793
http://www.gutenberg.org/files/28742/28742- h/images/full_illus014.jpg
http://wallpoper.com/images/00/26/18/15/castles-architecture_00261815.jpg
Heartland Sony Sega WikiLeaks Etc. http://tinyurl.com/m8v73ev
Deborah Plunket NSA Information Assurance Directorate December 2010 (Note 1) computer systems must be built with the assumption that the adversaries will get in. Further: Most sophisticated attackers are going to go unnoticed on the NSA s networks http://www.forbes.com/fdc/welcome_mjx.shtml Note 1: http://www.eweek.com/c/a/security/nsa-assume-attackers- Will-Compromise-Networks-395027/
January 2011 Recognition that you have been or will be breached.and protect your systems and data accordingly. This approach is more realistic and allows for more flexibility in protection of highvalue assets. http://www.pwc.com/us/en/forensicservices/publications/are-youcompromised.jhtml
Mr. Kris Herrin, CTO, Heartland Payment Systems June 2011 the new approach by Heartland is to take all possible and practical steps to protect the data but they will assume the security systems and data can and have been breached. http://www.heartlandpaymentsystems.com/about-heartland/leadership-team/kris- Herrin
More companies every day are acknowledging that in order to survive in this new era of attacks we all have to accept the fact that the bad guys are in our network. Period. RSA CONFERENCE EUROPE 2012 LONDON, OCTOBER 9, 2012 http://www.emc.com/about/news/press/2012/20121009-03.htm http://www.emc.com/corporate/ emc-at-glance/execteam/heiser.htm
Kirk Bailey University of Washington CISO 2003 Introduced everyone to the idea of assumption of breach It is not a matter of if but when. http://events.nytimes.com/1999/12/13/tech nology/13kirk.1.jpg
The Assumption of Breach is a new philosophy vs. what we were taught in Security 101 or our CISSP classes. This Requires: Board-Level Support CEO Support Recognition that the Key Data is the focus http://searchsecurity.techtarget.com/tip/assumption-ofbreach-how-a-new-mindsetcan-help-protect-critical-data
Still Keep the Fortress Evidence of Due Care Recognize the Strainer Model Kirk Bailey Top 10 http://www.wiremeshdir.com/products/pasta_s trainer/3.jpg
1. Implement a Risk Management Framework Repeatable, Demonstrates Trends 2. Conduct Asset Profiling and Inventory Know Where Your Crown Jewels Are Separate Out Critical and Non-Critical Data 3. Prioritize Assets and Related Risk-Mitigation Efforts Focus on the Crown Jewels 4. Incident Response Roles and Communications Plans
5. Implement Aggressive Risk Transfer Programs Through Detailed Contracts and Insurance Underwriting 6. Establish and Sustain Active and Strategic Alliances Allows for Effective and Trusted Cross- Communications About Threats, Mitigation Schemes and Lessons Learned Include Trusted Vendors and Security Providers 7. Implement a Business Intelligence Program Include Dashboards and Situational Awareness
8. Establish Advanced Incident Response and Management Think and Look Outside the Normal Cyber Incident Response Practices Example: Phishing Attacks on Executives 9. Practice Strategic Isolation and Enclaving of: Critical Data Key Executives, Scientists, Knowledge Workers Limit Presence on Social Networks 10. Consider an Active Response Capability
Unusually heavy network traffic Out of disk space or significantly reduced free disk space Unusually high CPU usage Creation of new user accounts Attempted or actual use of administrator-level accounts Locked-out accounts Account in-use when the user is not at work Cleared log files Full log files with unusually large number of events Antivirus or IDS alerts Disabled antivirus software and other security controls Unexpected patch changes Machines connecting to outside IP addresses Requests for information about the system (social engineering attempts) Unexpected changes in configuration settings Unexpected system shutdown. http://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r1.pdf Pages 6-19 to 6-20
The new paradigm for utility information security: assume your security system has already been breached Asian Power Magazine http://asian-power.com/node/11144 Assumption of breach: How a new mindset can help protect critical data Search Security Magazine http://searchsecurity.techtarget.com/tip/a ssumption-of-breach-how-a-newmindset-can-help-protect-critical-data
Are you compromised but don t know it? PWC White Paper http://www.pwc.com/us/en/forensicservices/publications/are-youcompromised.jhtml New SCADA Security Reality: Assume a Security Breach Tofino Security Blog http://www.tofinosecurity.com/blog/newscada-security-reality-assume-securitybreach
Ernie Hayden CISSP CEH Executive Consultant Securicon, LLC 1321 La Forest Drive SE North Bend, WA 98045 Phone: 425-765-1400 Email: ernie.hayden@securicon.com