IT Security Management -- People, Procedures and Tools

IT Security Management: People, Procedures and Tools

Managing systems and information security can be daunting for NGOs

with a global presence and limited resources. Looking at the issue

through the lens of people, procedures and tools, this session will

discuss approaches for ensuring IT security to minimize risk to your

organization.

Andrew S. Baker, President of BrainWave Consulting Company, LLC

© 1995-2013 – BrainWave Consulting Company, LLC, All rights reserved.

• Outline some key premises about Information Security

• Provide suggestions for dealing withtoday’s challenges, especially in a global setting

• Understanding the importance of communication to effective Information Security

• Look for low-cost ways to obtain security information and resources

Today’s Goals


There is NO Such Thing as a FREE Lunch


• Information Security is a lifestyle, not an event

• It’s about managing – not eliminating – risk

• It’s all about People, Processes and Tools/Technology

• It must be intrinsic to operations, not bolted on

• Complexity is the enemy of good security

• It’s not easy, but it needs to look easy

• How you spend is more important than How Much you spend

Basic Tenets of Information Security


• Good information security must be made intrinsic to business operations

• Security is a journey, not a destination

• Security is a moving target

• Security is the management of threats, risks and mitigations

• Consistency is the best friend of good security

• Complexity is the worst enemy of good security

Security is a Lifestyle, not an Event


• The right people can overcome deficiencies in your policies, processes and technology

• The wrong people will likely undermine even the very best policies, processes and technology

• Trust is the most important characteristic in the people supporting your security. Trust, but Verify

• Hire people because they align with your goals and understand the technology – not because they are good at catching bad guys

All About People


• They must be relevant to the risks of your environment

• You need just enough processes to get the job done; Documentation must be one of those processes

• They should be simple enough to explain and monitor, yet robust enough for your needs

• They must be regularly evaluated for suitability, effectiveness and adherence

• Security has to be intrinsic to your operations, and consistently applied

All About Processes & Procedures


• Make sure your tools only implement your security, not define it

• Encryption, Encryption, Key Management & Encryption

• Less tools is better than more tools (CiTEoGS)

• Tool priority: • Detection• Prevention• Monitoring• Reporting

• Storage, storage, storage

All About Tools & Technology


• Most security issues stem from configuration problems or errors

• The more complex your configuration:• the more likely you’ll have security-impacting errors

• the more likely you’ll have insecure components installed

• the longer it will take to notice a potential intruder

• the more money/time you will spend to support it

• Simplicity has many advantages, including cost, training time and visibility.

Complexity is the enemy of good security


• Eliminating all risk is not only costly – it’s impossible

• Determine what risks you can accept and what risks you can transfer, reduce, or avoid –then prioritize your resources accordingly

• Risk management begins with a valid inventory of personnel, equipment and data

Risk management, not Risk elimination


• More money doesn't automatically mean better security

• Spending in the wrong place is worse than not spending at all.

• There are some things you can build and some you can buy.

• You can spend on people or technology or both

Relationship of Spending to Security


• Option 1: Hire the brightest people and build everything

• Option 2: Hire decent people, and buy the right technology solutions

• Option 3: Figure out how to divide your meager budget between good enough people and good enough technology solutions

Security Spending: Build vs Buy


• Ensure that everyone is subject to the same minimum security level

• Security Awareness Training

• Treat Information Security as more than a computer or technology issue

• Don’t take any abnormal computing activity for granted

Cover the Basics – Policy & Procedures


• Patch Management

• End-point protection (Antivirus, Antimalware)

• Use password managers and strong passwords

• Segregate your computing activity (secure vs non-secure)

• Make time to review logs

Cover the Basics – Tactical & Operational


#1: Consolidate Your Tools

#2: Encourage a Culture of Security

#3: Keep Projects Small

#4: Use Native Features

#5: Access Security Communities

#6: Focus on Insurance vs Investment

Things to Do – Policy & Methodology


• Defense in Depth is still important, but don’thave too many tools doing the same things

• Integrated security hardware is preferable tocompletely separate hardware for each function

#1: Consolidate Your Tools


• Reward employees that maintain high security

• Don’t limit security to technology related areas.• Keeping desks clear

• Managing confidential documents

• Escorting visitors

• Not picking up stray thumb drives

• Keep workstations locked

• Don’t discuss sensitive information in open spaces

#2: Encourage a Culture of Security


• Regardless of staffing size, small discrete projects are more successfully implemented than massive, overarching projects

• Projects that take more than 2-3 weeks for fully implement are likely to be partially deployed or get postponed repeatedly

#3: Keep Projects Small


• As much as possible, take advantage of the software that you’ve already paid for

• Advantages of using native software include:• Compatibility with more hardware and software

• More controllable updates (generally)

• Broader support potential from vendors and staff

#4: Use Native Features


• There are a wide variety of mailing lists, forums and social media communities that focus on current security information:

• http://seclists.org/

• http://secunia.com/community/advisories/

• http://myitforum.com/myitforumwp/community/groups/

• http://www.us-cert.gov/mailing-lists-and-feeds

• Different countries will have a CERT team as well(Computer Emergency Response Team)

#5: Access Security Communities

http://seclists.org/

http://secunia.com/community/advisories/

http://myitforum.com/myitforumwp/community/groups/

http://www.us-cert.gov/mailing-lists-and-feeds


• Don’t get hung up on trying to provide ROI for security initiatives

• Information Security is an insurance policy to keep the business operational; it’s arevenue protection mechanism

• True, there are investment aspects to information security as well, but the focus must be on preventing business ending events

#6: Focus on Insurance vs Investment


#1: Secure All Network Access

#2: Audit all Computing Activities

#3: Protect Data at Rest

#4: Secure Integration With Other Networks

#5: Effective Backup & Restore Options

#6: Security Education

Things to Do – Tactical


Avoid clear text protocols, especially when it comes to administrative access-- User access = HTTPS-- Admin access = HTTPS / SSH

Support strong and flexible password policies

Support comprehensive role based usage and administration

Use certificates, not only to ensure secure transmission, but to validate the clients side of the connection

SSL/TLS and SSH are some of the technologies that should be employed for ensuring secure access

#1: Secure Access


It’s not just enough to have secureaccess. It’s important that the access be auditable.

Keep track of users and user activity

You need to be able to track who accessed what, from where, and at what time.

Keep details of administrative activity and provide robust reporting

#2: Audited Access


Encrypting data in motion is well accepted today. Encrypting data at rest is still a little iffy today.

In the event that you are breached or suspect a breach, the statements that you are able to make about the encryption of the targeted data will be greatly affected by their encryption status

#3: Data at Rest


Remember that your “perimeter” extends into all other networks that you choose to connect to your own.

This includes cloud computing vendors, mobile providers, outsourcers, business partners, etc.

You must ensure that you do not undermine the security of your application through insecure integration with other platforms (i.e. mobile) or other providers.

#4: Secure Integration with Others


Disaster Recovery and Business Continuity are often considered when it is too late.

Good security is not just about

“protection,” but about availability and data integrity.

Consider all the ways that your data could become inaccessible, and make some allowance for the most likely or most damaging scenarios.

And, test, test, test!

#5: Effective Backup & Restore Options


Security education need not be elaborate, and it need not be costly

Security education just needs to be:• Relevant to the current threats• Relevant to the user roles• Comprehensive (over time)• Actionable• Measurable• Periodic• Rewarding• Personally Applicable

#6: Security Education & Awareness


#1: Security in the cloud is an extension of security outside the cloud.

#2: Auditing and reporting are some of the most important security needs that vendors take the longest to address.

#3: The best security options in a cloud service cannot overcome the worst security practices by a customer (or provider). Tools are just a means of facilitating process.

Considerations for the Cloud


#4: There are many legal components of cloud security that are overlooked until very late in the procurement process. Get your legal team involved early.

#5: Your data is not automatically more safe on-premise or less safe in the cloud (or vice versa). You *might* have more control over your data on your own premises, but without the processes, tools or staffing to address issues, your data will be at risk.

#6: Regular risk assessments are needed to ensure that the right level of security is being applied to your data

Considerations for the Cloud (Continued)


• Keep things as simple as possible

• Start with clear policies and procedures

• Use native tools• Use trusted open source tools• Use “Community Edition” tools

• Hire the right people

• Regularly communicate with employees, management and key partners

• Keep abreast of current risks

Summary of “DO”s


• Don’t lose control of your data• If you use 3rd parties to host or manage your data, encrypt it

• Don’t unnecessarily expose or discuss your security mechanisms in detail

• There is some security in obscurity

• Don’t ignore the security-trained resources that you have access to

• Your staff is really trying to help you. If anything, educate them about how to make decisions with limited data

• The security of your data is ultimately your problem• Don’t expect to off-load 100% of the security concerns your organization faces

to your cloud vendors or other 3rd parties. Your practices are important too.

Summary of “DON’T”s


There is NO Such Thing as a FREE Lunch


Contact Info:

Andrew S. Bakerwww.BrainWaveCC.com

[email protected]

http://XeeMe.com/AndrewBaker

Question & Answer Time

mailto:[email protected]

mailto:[email protected]

http://xeeme.com/AndrewBaker

IT Security Management -- People, Procedures and Tools

Documents

Transcript of IT Security Management -- People, Procedures and Tools