Cyber Security and Information Assurance Controls Prevention and Reaction 1
About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory Compliance Assurance and Attestation IT Audit & Advisory Fraud and IT Forensics Privacy and Consumer Protection Sectors Governmental Financial Services Oil & Gas Energy Retail & Distribution Healthcare Manufacturing High Tech & Telecom Higher Ed Legal Services Hospitality Food, Beverage and Entertainment Leisure & Tourism High Tech 2
About the Presenter Georgios Mortakis Director of Consulting Services CISSP, CISA, CRISC, PCIP, PCI QSA MS Computer Science MBA Information Systems Core Experience: CISO Services Regulatory Compliance and Standards Technical Security Assessment Risk and Vulnerability Management Ethical Hacking Digital Forensics Business Continuity 3
Some Notable Cyber Security News Hackers Demonstrate Car Hacking using a laptop Sim Card Cloning Hack affect 750 millions users around the world Hackers Break into Smartphones to Access Your Bank Account Hacking Google Glass with QR Code to sniff user data GPS flaw could let terrorists hijack ships, planes International hackers stole 160 million credit and debit card numbers in largest U.S. hacking scheme, feds say Stanford University Computers Breached Network Enabled Samsung TVs vulnerable to Denial of Service Attack 4
Basics What is Information/Cyber Security? Information Security ensures that only authorized users (Confidentiality) have access to accurate and complete information (Integrity) when necessary (Availability). 5
Information Security Awareness Who should be aware? Everyone in the organization Everyone else accessing organization information (visitors, consultants, suppliers, vendors, clients, etc.) What should ANY EMPLOYEE be aware of? The appropriate level of security Importance of security Consequences of lack of security Individual responsibilities related to security 6
Information Security Awareness Finally What is Information Security Awareness? Everyone in the organization is aware of The appropriate level of security for the organization Importance of security Consequences of lack of security Individual responsibilities related to security Why do we need it? To ensure Information Security of the organization's assets. To reinforce employees behavior 7
Common Misconceptions We do not need training We provide training upon hire We never experienced a security breach We have policies and procedures We have a firewall It is expensive 8
Facts You need to perform frequentvulnerability assessments on your infrastructure components and systems to JUST VERIFY security controls are in place 53 new confirmed vulnerabilities for the top 50 apps every week on average in 2012 (2710/year) Approximately 2500 already in for 2013 Source : CVE database website 9
Facts Once a year penetration testing engagements do not cut it anymore Outdated Reactive mode Find out what might have already been exploited Expect to see regulatory compliance and standards to require more frequent assessments 10
Question of the Day What s more important to you and your environment Security Compliance 11
What qualifies as a Breach? Acts that bypass existing security policies, procedures and controls of an organization. Security breaches focus on the compromise of data that can create a reasonable risk of harm. 12
Some Cyber Security related Breach Facts Financial losses from security breaches have increased through previous years. The highest dollar amount losses were related to the following types of security attacks: Financial fraud Customer and proprietary data Outsider system penetration 13
Current and Expected Security Breach Trends More of the perpetrators of security breaches and computer crime cases are motivated by monetary gain. The use of targeted attacks is increasing. This type of attack is also more difficult to detect. The development and use of malicious software is increasingly more sophisticated New types of security threats are emerging The protection provided by existing technologies (e.g., virus The protection provided by existing technologies are increasingly less capable of controlling security breaches 14
Current and Expected Security Breach Trends Insider abuse of network system access is increasing The theft of laptops and mobile devices is increasing The number of organizations that are reporting security breaches to law enforcement is increasing. The majority of the organizations assign a small portion of their IT budget to security measures that can assist controlling security breaches. 15
Cyber Security Controls Before the event, preventive controlsare intended to prevent an incident from occurring During the event, detective controlsare intended to identify, classify, and CONTAIN an incident After the event, corrective controlsare intended to limit the extent of any damage caused by the incident aka RECOVER 16
Types of Controls Physical controls e.g. fences, doors, locks and fire extinguishers; Procedural controlse.g.incident response processes, management oversight, security awareness and training; Technical controlse.g.user authentication (login) and logical access controls, antivirus software, firewalls; Legal and regulatory or compliance controlse.g.privacy laws, policies and clauses. 17
Establish the importance of PREVENTION An ounce of prevention is worth a pound of detection Preventive based security control results in higher efficiency Detective / corrective based security control can be very costly As a general guideline, security controls designed to prevent breaches from ever occurring are more cost-effective than those designed to identify or correct one Pay attention to the PEOPLE PROCESS TECHNOLOGY methodology 18
PREVENTIVE Controls Information Security Policy, Procedures and Standards Security Configuration Standards Data Mapping and Classification Access Control Management and Segmentation of Duties and Operations Authorization, Accountability Auditing, Logging, and Monitoring Risk Assessment and Vulnerability Management 19
Examples of Preventive Controls Security Awareness and Training Firewall Network Layer Application Layer Anti virus/endpoint Security/Personal Firewall IPS 20
Prevention is NOT the ANSWER to all QUESTIONS Hoping to always succeed in keeping the bad stuff out -or the good stuff in-is NOT sustainable Remember that Prevention Doesn t Scale Reality Check In this world there are a bad people who do bad things and simply trying to stay ahead of the latest attacks is NOT possible. Preventative controls, while absolutely necessary, must be supplemented by controls designed to strengthen incident detection and response. JULY 2013 21
Post-prevention Security Controls Post-prevention security doesn t mean you should stop trying to prevent bad things. It means expanding the capabilities of an organization s security posture. It means going beyond a binary perspective of one s cyber controls being good or bad and accepting that bad things will happen and thus preparing for that inevitability. JULY 2013 22
Example of Detective Controls System Monitoring IDS Anti virus/end-point Security/Personal Firewall Incident Response Plan Breach Containment SIEM Event Correlation Vulnerability Assessment and Testing 23
Examples of Corrective Controls EOL systems updates Vulnerability Correction Data Forensics Data Restore 24
Suggested Approach: Integrated Risk Management Strategic Objectives Operational CYBER SECURITY Functional IT INFORMATION Compliance ASSURANCE ENTERPRISE GOVERNANCE Objectives Objectives Objectives ISO 27001 & PCI-DSS Compliance Internal & External Process Assurance IT & Information Security Governance IT Risk Management Formalize Objectives of ISMS Frameworks, Standards, Regulatory Requirements Gap Analysis Against Best Practices Risk Identification Risk Assessment and Gap Analysis Program, Project, or Client Requirements Periodic Reviews and Monitoring Risk Analysis and Quantification Independent Security Assessments Value Add and Process Improvement Enterprise Training and Awareness Risk Mitigation and Management People Processes Controls Data Technologies Divergence
Recommended Risk Management Assessments Network Penetration Testing Internal network External network Web Application Penetration Testing On-Demand Vulnerability Scanning Internal External Application Social Engineering testing Business Continuity Incident Response Disaster Recovery Business Continuity Mobile Device Infrastructure Security- BYOD Cloud Computing Breach Investigation and Digital Forensics Analysis
Automated Solution Implementation File Integrity (Tripwire, Symantec) Firewalls (Cisco, Juniper, Checkpoint, Palo Alto) IDS/IPS ((Cisco, Juniper, Checkpoint, Palo Alto) DLP and Content Management (Symantec, McAfee, CA, Websense) Log and Monitoring (LogRhythm, Splunk, ManageEngine) Antivirus/Antimalware (Symantec, McAfee, CA) SIEM Security Information and Event Management (AlienVault, McAfee, LogRhythm) 27
Georgios Mortakis, CISSP, CISA, CRISC, PCIP, PCI QSA Enterprise Risk Management Phone: 305.447.6750 Fax: 305.447.6752 e-mail: gmortakis@emrisk.com Company URL: www.emrisk.com Company e-mail: info@emrisk.com 28