InfoSec Controls Selection Strategies Presented to: Oregon Connections Telecom Conference Presented...
Transcript of InfoSec Controls Selection Strategies Presented to: Oregon Connections Telecom Conference Presented...
InfoSec Controls Selection Strategies
Presented to:
Oregon Connections Telecom Conference
Presented by:
David Trepp, M.S.October 23, 2014
Info@Risk Facts• Oregon S Corporation• Certified Veteran Owned Small Business• Assessment-Only Vendor• Providing Infosec Risk Analysis Services Since
January, 1998 and Performed Thousands of Engagements
• Notable Project Team Certifications:– CISSP: Certified Information System Security Professional– CISA: Certified Information Systems Auditor– CWASS: Certified Web Application Security Specialist– CEH: Certified Ethical Hacker– CPT: Certified Penetration Tester– CHP: Certified HIPAA Professional– CSCS: Certified Security Compliance Specialist
InfoSec Controls• Security Controls Come in Three Flavors:
–Administrative–Logical–Physical
• Major Control Functions Include:1. Preventative: Prevent an attack or security event prior to it occurring
e.g. firewall, access control list (ACL), door lock
2. Detective: Detect an attack, security event after OR during the attack/event e.g. Intrusion Detection System (IDS), log monitoring, motion sensors
3. Corrective: Limit the damage / scope of an attack or security evente.g. invoke IR procedure, restore trusted backup, remediate vulnerability
4. Deterrent: Deter (not stop) an attack, security event e.g. security/privacy notices/warnings, visible cameras
5. Compensating: Provide counterbalance for a weakness in an applied controle.g. System/process isolation, layers of AV/malware protection
6. Directive: Mandated by law, regulation, compliancee.g. PCI, CJIS, InfoSec Policy
NIST InfoSec Risk Management Program
Source: NIST Special Publication 800-37
Guide for Applying the Risk
Management Framework to
Federal Information
Systems
Use A Risk Management Strategy• Whether:
– Planning an Entire InfoSec Program– Selecting Common InfoSec Controls– Selecting InfoSec Controls for Any Given Application or
System
Step One: Categorize• Perform Risk Assessment• Five Pillars of Risk Assessment (from NIST SP-800-30)
I: Business (Clinical) Process CharacterizationII: Systems CharacterizationIII: Threat ModelingIV: Controls DocumentationV: Quantifying Risk (Risk = Likelihood * Impact)
Ask the vendor pointed questions about their System’s security features and configurations Encryption: at rest & in transit Credential storage Default services Default credentials Account types and privileges
For threat modeling, play the “what if” game for Confidentiality, Integrity and Availability (CIA)
Get upper management approval for acceptable risk thresholds
Step Two: Select
• Every System should have system-specific security controls and common (network-wide) security controls
Best if chosen from a standardized catalog, e.g. ISO or NIST
Many common organizational controls may already be in place, e.g. door locks to server room, firewalls, etc., but make sure they are both applicable and deployed to support the system
System-specific controls may be administrative/contractual in nature Limit administrative accounts in number and privilege Ensure dual controls and least privilege Encrypt Disable unnecessary services Change default account settings
Consider Outsourced vs. In-house System Risks
Selection Planning Should…All Systems & Applications• Assume it’s your problem and your responsibility
It’s your institution, but you’re just one more client to a vendor• Assume that your users will attempt to circumvent/simplify controls
Teach them about secure passwords and password storage• Overestimate customization and integration costs
Cloud customization and integration are high-margin revenue sources for cloud providers• Include periodic incident response exercises
Cloud breaches and outages are a different animal altogether• Include periodic penetration testing
Networks and applications are never static
Outsourced/Cloud Systems & Applications• Overestimate bandwidth usage Bandwidth usage never shrinks• Assume that your IT team will need some technical cloud/outsourced app training
Or your organization will be easily taken advantage of and helpless in a crisis
• Overestimate usage for pay-per-use costs Pay-per-use services must be turned off when not in use (not a human strong suit)
• Overestimate the number of users for pay-per-user costs Lots of Salesforce.com installations have begun with just a handful of users, at a modest cost
• Overestimate storage costs and de-duplicate where possible Storage requirements (for both applications and their backups) never shrink
• Establish resource caps with alerts The cloud’s elasticity can result in runaway expenditures
• Begin with a thorough InfoSec Risk Assessment Making informed, risk-based decisions is paramount!
Systems & Applications Should Have…All Systems & Applications– Ability to customize applications (or, at least, reporting)– Ability to interface applications– Ability to provide trial evaluation periods– No hardcoded credentials or keys– Secure development controls– Secure mobile support controls– Secure encryption controls
• In transit, e.g. IPSec with AES, SSH, SSL/TLS • At rest (consider Hypervisor, OS, & DB levels)
– ePHI & other sensitive data– Credential hashes – Session keys– Log files– Configuration files– Backup files– Data in RAM, e.g. credentials
Outsourced/Cloud Systems & Applications– Secure multi-tenant silos & virtualization controls– Secure authentication, authorization & access controls (i.e. more than an 8 char pw)– Rigorous patch management program for Hypervisor, OS, DB & Apps– Rigorous availability controls– Rigorous multi-tenant logging and audit trail controls, e.g. switches, routers, firewalls– Rigorous multi-tenant intrusion detection & alerting controls– Rigorous multi-tenant forensics controls, e.g. see NIST Interagency Report 8006
Step Three: Implement• Implement security controls as prescribed by
Risk Assessment & Controls Selection With the possible exception of Cloud solutions, the system
vendor is rarely the appropriate party to implement security controls protecting their system
Administrative control implementations often conflict with vendors’ “let’s keep it easy and inexpensive to support” philosophy Easy remote access Standard, weak default credentials
Vendors must be forced to toe the line as Business Associates
Contract Controls Should Include…All Systems & Applications– Provisions for disclosure of all accounts, their minimum credential requirements, &
privilege levels– Provisions for clear delineation of data & application ownership– Inclusion of fees for all required services – Provisions for trial evaluation periods– Indemnity for patent, trademark, and copyright violations– Provisions for dispute resolution– Provisions for software escrow– Provisions for penetration testing/vulnerability assessment– Use of “shall” verbiage for due diligence and due care (instead of “best effort,” “goal,”
or “target” verbiage)Outsourced /Cloud Systems & Applications– FedRAMP compliance attestation– SLA attestations, e.g. downtime, performance, etc.– Provisions for data breach notifications, incident escalation & forensics– Provisions for e-discovery data requests– Provisions for normal, end-of-contract, or end-of-business data access & migration– Evidence of vendor risk management (outsource/cloud vendor and their vendors)
• Test and Assessment results (or, at least, an auditor's cover letter)• InfoSec polices, standards, procedures & controls
Step Four: AssessPerform Risk Analysis Activities Covering all four Safeguard Domains
Administrative Physical Human Technological
Against all Impacts Confidentiality Integrity Availability
Testing all Control Types Administrative Logical Physical
Step Five: Authorize
• Remediate vulnerabilities found during risk analysis and Authorize as “functioning as intended”
Remediation can be the most onerous part of the process May require significant human-hours May involve third party vendors May involve budget line items
Step Six: Monitor
• Don’t fall asleep at the wheel, because information systems are not “set it and forget it” from a security perspective
Patch management for vulnerable operating systems, database engines, development environments, and the Internet of Things is crucial, and often managed by the vendor
Monitor system logs and intrusion detection/prevention systems
Get stakeholders and vendors used to the idea of periodic security testing, reporting, and meetings
• Rinse and Repeat, as necessary!
Conclusions Information Security is a balance between necessary access and restrictions Effective Information Security requires organizational understanding of business
needs and threats to information assets Thoroughly informed, risk-based decisions are a necessary element in achieving
Information Security balance Following a standard process for categorizing, selecting, implementing,
assessing, authorizing, and monitoring security controls aids informed decision-making and helps to avoid costly mistakes
Thank you!
Contact Info:
David Trepp
President
877-328-7475
Questions?