InfoSec Controls Selection Strategies

Presented to:

Oregon Connections Telecom Conference

Presented by:

David Trepp, M.S.October 23, 2014

Info@Risk Facts• Oregon S Corporation• Certified Veteran Owned Small Business• Assessment-Only Vendor• Providing Infosec Risk Analysis Services Since

January, 1998 and Performed Thousands of Engagements

• Notable Project Team Certifications:– CISSP: Certified Information System Security Professional– CISA: Certified Information Systems Auditor– CWASS: Certified Web Application Security Specialist– CEH: Certified Ethical Hacker– CPT: Certified Penetration Tester– CHP: Certified HIPAA Professional– CSCS: Certified Security Compliance Specialist

Information Security Safeguard Domains

Administrative Physical Technological Human

Information Security Impacts

• The C-I-A Triad of Information Security:

InfoSec Controls• Security Controls Come in Three Flavors:

–Administrative–Logical–Physical

• Major Control Functions Include:1. Preventative: Prevent an attack or security event prior to it occurring

e.g. firewall, access control list (ACL), door lock

2. Detective: Detect an attack, security event after OR during the attack/event e.g. Intrusion Detection System (IDS), log monitoring, motion sensors

3. Corrective: Limit the damage / scope of an attack or security evente.g. invoke IR procedure, restore trusted backup, remediate vulnerability

4. Deterrent: Deter (not stop) an attack, security event e.g. security/privacy notices/warnings, visible cameras

5. Compensating: Provide counterbalance for a weakness in an applied controle.g. System/process isolation, layers of AV/malware protection

6. Directive: Mandated by law, regulation, compliancee.g. PCI, CJIS, InfoSec Policy

NIST InfoSec Risk Management Program

Source: NIST Special Publication 800-37

Guide for Applying the Risk

Management Framework to

Federal Information

Systems

Use A Risk Management Strategy• Whether:

– Planning an Entire InfoSec Program– Selecting Common InfoSec Controls– Selecting InfoSec Controls for Any Given Application or

System

Step One: Categorize• Perform Risk Assessment• Five Pillars of Risk Assessment (from NIST SP-800-30)

I: Business (Clinical) Process CharacterizationII: Systems CharacterizationIII: Threat ModelingIV: Controls DocumentationV: Quantifying Risk (Risk = Likelihood * Impact)

Ask the vendor pointed questions about their System’s security features and configurations Encryption: at rest & in transit Credential storage Default services Default credentials Account types and privileges

For threat modeling, play the “what if” game for Confidentiality, Integrity and Availability (CIA)

Get upper management approval for acceptable risk thresholds

Step Two: Select

• Every System should have system-specific security controls and common (network-wide) security controls

Best if chosen from a standardized catalog, e.g. ISO or NIST

Many common organizational controls may already be in place, e.g. door locks to server room, firewalls, etc., but make sure they are both applicable and deployed to support the system

System-specific controls may be administrative/contractual in nature Limit administrative accounts in number and privilege Ensure dual controls and least privilege Encrypt Disable unnecessary services Change default account settings

Consider Outsourced vs. In-house System Risks

Selection Planning Should…All Systems & Applications• Assume it’s your problem and your responsibility

It’s your institution, but you’re just one more client to a vendor• Assume that your users will attempt to circumvent/simplify controls

Teach them about secure passwords and password storage• Overestimate customization and integration costs

Cloud customization and integration are high-margin revenue sources for cloud providers• Include periodic incident response exercises

Cloud breaches and outages are a different animal altogether• Include periodic penetration testing

Networks and applications are never static

Outsourced/Cloud Systems & Applications• Overestimate bandwidth usage Bandwidth usage never shrinks• Assume that your IT team will need some technical cloud/outsourced app training

Or your organization will be easily taken advantage of and helpless in a crisis

• Overestimate usage for pay-per-use costs Pay-per-use services must be turned off when not in use (not a human strong suit)

• Overestimate the number of users for pay-per-user costs Lots of Salesforce.com installations have begun with just a handful of users, at a modest cost

• Overestimate storage costs and de-duplicate where possible Storage requirements (for both applications and their backups) never shrink

• Establish resource caps with alerts The cloud’s elasticity can result in runaway expenditures

• Begin with a thorough InfoSec Risk Assessment Making informed, risk-based decisions is paramount!

Systems & Applications Should Have…All Systems & Applications– Ability to customize applications (or, at least, reporting)– Ability to interface applications– Ability to provide trial evaluation periods– No hardcoded credentials or keys– Secure development controls– Secure mobile support controls– Secure encryption controls

• In transit, e.g. IPSec with AES, SSH, SSL/TLS • At rest (consider Hypervisor, OS, & DB levels)

– ePHI & other sensitive data– Credential hashes – Session keys– Log files– Configuration files– Backup files– Data in RAM, e.g. credentials

Outsourced/Cloud Systems & Applications– Secure multi-tenant silos & virtualization controls– Secure authentication, authorization & access controls (i.e. more than an 8 char pw)– Rigorous patch management program for Hypervisor, OS, DB & Apps– Rigorous availability controls– Rigorous multi-tenant logging and audit trail controls, e.g. switches, routers, firewalls– Rigorous multi-tenant intrusion detection & alerting controls– Rigorous multi-tenant forensics controls, e.g. see NIST Interagency Report 8006

Step Three: Implement• Implement security controls as prescribed by

Risk Assessment & Controls Selection With the possible exception of Cloud solutions, the system

vendor is rarely the appropriate party to implement security controls protecting their system

Administrative control implementations often conflict with vendors’ “let’s keep it easy and inexpensive to support” philosophy Easy remote access Standard, weak default credentials

Vendors must be forced to toe the line as Business Associates

Contract Controls Should Include…All Systems & Applications– Provisions for disclosure of all accounts, their minimum credential requirements, &

privilege levels– Provisions for clear delineation of data & application ownership– Inclusion of fees for all required services – Provisions for trial evaluation periods– Indemnity for patent, trademark, and copyright violations– Provisions for dispute resolution– Provisions for software escrow– Provisions for penetration testing/vulnerability assessment– Use of “shall” verbiage for due diligence and due care (instead of “best effort,” “goal,”

or “target” verbiage)Outsourced /Cloud Systems & Applications– FedRAMP compliance attestation– SLA attestations, e.g. downtime, performance, etc.– Provisions for data breach notifications, incident escalation & forensics– Provisions for e-discovery data requests– Provisions for normal, end-of-contract, or end-of-business data access & migration– Evidence of vendor risk management (outsource/cloud vendor and their vendors)

• Test and Assessment results (or, at least, an auditor's cover letter)• InfoSec polices, standards, procedures & controls

Step Four: AssessPerform Risk Analysis Activities Covering all four Safeguard Domains

Administrative Physical Human Technological

Against all Impacts Confidentiality Integrity Availability

Testing all Control Types Administrative Logical Physical

Step Five: Authorize

• Remediate vulnerabilities found during risk analysis and Authorize as “functioning as intended”

Remediation can be the most onerous part of the process May require significant human-hours May involve third party vendors May involve budget line items

Step Six: Monitor

• Don’t fall asleep at the wheel, because information systems are not “set it and forget it” from a security perspective

Patch management for vulnerable operating systems, database engines, development environments, and the Internet of Things is crucial, and often managed by the vendor

Monitor system logs and intrusion detection/prevention systems

Get stakeholders and vendors used to the idea of periodic security testing, reporting, and meetings

• Rinse and Repeat, as necessary!

Conclusions Information Security is a balance between necessary access and restrictions Effective Information Security requires organizational understanding of business

needs and threats to information assets Thoroughly informed, risk-based decisions are a necessary element in achieving

Information Security balance Following a standard process for categorizing, selecting, implementing,

assessing, authorizing, and monitoring security controls aids informed decision-making and helps to avoid costly mistakes

Thank you!

Contact Info:

David Trepp

President

davidt@infoatrisk.com

877-328-7475

Questions?