Information Security is not an IT problem! Enterprise Risk & Security Management Raymond Slot Security Seminar 20 maart 2015
Some Security Incidents in 2014 Anthem 80 million customer records exposed JPMorgan Chase -- 76 million private customer and an 7 million small businesses records stolen Sony Pictures attack -- exposing new movies and emails Gemalto -- Attack to obtain SIM card encryption keys Attack on a Large European Bank ATM s NFC hack on Chilean Transport Public systems 2
Security Attacks Over 2014 more than 4.400 corporate sector targets in at least 55 countries worldwide The number of victims affected by targeted attacks in 2014 is 2.4 times that of 2013, when up to 1.800 corporate targets were discovered. Attacks move from general attacks to targeted, long-term attacks. Example Targeted Attacks Attacks specifically aimed at C-level and senior management in hotels Attacks aimed at banks and at billing companies Attacks to obtain encryption keys Attacks on home banking systems Source Kaperski, 2014 3
Cost of Cyber Crime? UK 0,16% of GDP 4.8 billion Euro Netherlands 1.5 % of GDB 8.8 billion Euro Germany 1,6% of GDP 56 billion Euro Global losses are estimated from $ 375 Billion to $ 575 Billion Source McAfee, 2014 4
Reasons for increased attack rates We are heading for a security meltdown of our economy 1. Attacking is technically becoming easier and cybercrime is target of criminal big-money 2. In the Internet of Things, security is considered often as an afterthought 3. High visibility successes attract new cybercriminals 4. Risks for cybercriminals are relatively low Legislation has not kept pace International nature makes prosecution almost impossible 5. Cyberterrorism and Cyber Warfare are facts of life 6. We are building more and more large mission-critical IT systems, without including security at a key designcriterion Source Sessions, 2015 5
Cost vs. Risk Trade-Off High Low Low 6
Uitgaven versus Niveau van Veiligheid Expense 7
Characteristics of Enterprise Risk & Security Management Goal: acceptable residual risk at a minimal cost Based on business risks Key questions What risks are we exposed to? What is for our organization an acceptable level of risk? These questions are business questions. IT cannot answer it. For these questions to be answered by business, business has to have insight into the risks and acceptable residual risks. The role of security architecture is to provide business managers with this insight. 8
Secure Enterprise Architecture There two approaches to a secure enterprise architecture bolt-it-on (usual) build-it-in (much more safe) Go for inherently secure designs Examples Android Snowman SOA architecture Business Architecture Information Architecture Security Application Architecture Data Architecture Technical Architecture Instead of Security Architecture we should speak of a Secure Enterprise Architecture 9
Security Niveaus Strategic Security Policy Security organization Acceptable Risk level Tactical Gap between Policy en Operation Operational Fire Wall Virus Checking 10 Network Zones
Security Approach Drivers Business Domain Policies Threats Opportunities Responsibilities Risks Vulnerabilities Security requirements Firewall Architecture Virus Scanning Measures Authentication Access control Solution Domain 11
Security process Risk Analysis en Policy definition Security Requirements Definition Security Measures Residual Risk Security Architecture 12
Non-Functional Requirements Security Requirements Confidentiality Authentication Integrity Non-repudiation Auditability Governance Requirements Availability Contingency Incident resolvability Ability for administration and configuration Cost Accountability Scalability Traceability Volumetric Requirements Performance Throughput Response time Currency (data) Correctness (data) % Modified (data) Simultaneous Users # Transactions Storage Development Requirements Maintainability Portability Reusability Testability Green Requirements Energy efficiency Environmental Friendly Materials Sustainability 13
Non-functional Aspects (ISO 25010) Source: ISO 14
Levels of Security Requirements Level Integrity Authentication Availability Performance High Medium Low It is very difficult to compromise the accuracy and completeness of data, both in storage and in transport It is fairly difficult to compromise the accuracy and completeness of data, both in storage and in transport No value is attached to the accuracy and completeness of data. Example It is very difficult to assume somebody else s identity Sufficient measures are taken so that the average user will not be capable of assuming someone else s identity There is no need to identify the actor. 7 * 24 hour 6 * 12 hour Office hours Very fast response time (< 0,5 sec) Fast response time (<2 sec) Internet level response times unmanaged 15
Security Requirement Profile Profile Name Example Integrity Authentication Confidentiality Availability Performance Public Level Standard Level Confidential Level People surfing the website Information is freely available Company-confidential actions Information is freely available within the organisation Confidential actions Information availability is Restricted High Low Low High Medium Medium Medium Medium Medium Medium High High High Medium Medium Example Security requirement profiles - Organizations require 5-10 profiles 16
Security Use Case ACTOR executing an ACTIVITY (using some INFO) 1. Client retrieving Product Information 2. Client inquiring Account Balance 3. Client executing Financial Transaction 4. Employee conducting Standard Operation (e.g., developing product) 5. Employee conducting High-risk Operations (e.g., handling financial sums above 500.000) Number of Security Use Cases in an Organization is about 20 17
Classification of Security Use Case Security Requirements Profile Security Use Case Public Stand. Conf. 1.Client retrieving Product Information t 2. Client inquiring Account Balance t 3. Client executing Transactions t 4. Employee conducting Standard Operations 5. Employee conducting High-risk Operations t t 18
Use Case Context: Locations Internal Access Hotel Company Office Client Location Home External Access 19
Use Case Context: and Platforms PC / Laptop Tablet Phone 20
Define Security Measures Security Requirement High-Secure (Confidential Level) Example Measures Multi-Level Authentication 4-eyes principle Personnel screening Baseline (Standard Level) Virus Checking Application Virtualization Network Zones Firewall Below Baseline (Public Level) No Access Control Accessible from Internet 21
Example 1: End-to-End Security Measures for a Security Context Specification Use Case: Employee conduction standard Operation from External Location Security Requirements Profile: Standard Level Location: External Access Platform: PC Measures are ISO 27.000 Based 22
Example 2: End-to-End Security Measures for a Security Context Specification Use Case: Cklient conduction standard Operation from External Location Security Requirements Profile: Standard Level Location: External Access Platform: Phone! 23
Definition of Security Architecture Security Use Cases Actor Activity & Information Security Requirements Profile Use Case Context Platform Location Use Case Measures Organizations require 20-30 Use Case Descriptions 24
Security Architecture Cycle 6. Gaps and Residual Risks 5. Measures per Use Case Measures 1. Risk Analysis Analysis Requirements 2. Policy and Acceptable Risk 3. Security Requirements 1. Risk analysis provides insight 2. Policy determines the acceptable risks level (Risk Appetite) 3. Requirement profile describes the required level of confidentiality, integrity, etc. 4. Each security use case gets assigned a requirement profile 5. For each use case and requirement profile a set of security measures is defined, the target security architecture 6. Gaps are identified between the actual situation and the sites integration 4. Classify Use Cases 25
Qualitative Risk Assessment Loss event frequency (LEF) Risk Vulnerability (Vuln) 26
A Risk Overlay for ArchiMate 27
A Risk Overlay for ArchiMate 28
Example 29
Lessons Learned 1. Do not assume that information security is okay 2. Take the lead as business management in Information Security 3. Operational continuity and justification of information security costs is a responsibility by management 4. Analysis of existing security environments shows Security too high ( All authorization need to be two-factor ) Security too low ( Wait, does that process also use medical data!?! ) 5. Business management needs insight in actual and target residual risks and the gaps 6. Plan how to handle security gaps Information Security is not an IT problem! 30
Concluding Business management is responsible for cyber security Policies & compliance Sensitivity of information Acceptable risk levels Execution is the responsibility of IT HR Facilities Finance Architecture bridges the gap Clear relation between needs and measures In business terms Business is in control Effective and efficient use of resources 31
Questions? Raymond Slot r.slot@bizzdesign.com +31 646 00 23 78 Webinars, blogs, e-books, customer stories, training portfolio, software and more on www.bizzdesign.com 32
2014 BiZZdesign. All rights reserved. BiZZdesign and BiZZdesign logos are registered trademarks of BiZZdesign Company.