Stop Managing Security. Start Managing Risk. CIO Interact Conference 8 May 2007.
-
date post
18-Dec-2015 -
Category
Documents
-
view
220 -
download
2
Transcript of Stop Managing Security. Start Managing Risk. CIO Interact Conference 8 May 2007.
Stop Managing Security.Start Managing Risk.
CIO Interact Conference
8 May 2007
Security Governance
Darren O’Loughlin
General Manager - Security
Dimension Data Australia
Governance Challenges: Perceptions & Reality
IT Security is viewed as an expense and NOT an enabler
• a regulatory and governance requirement and not a business enabler
Security budgets and technology investment decisions may not be appropriately align to its risk management framework
Governance Challenges: Perceptions & Reality
Information Security Governance is relegated to the IT Department and NOT addressed at the executive level of the organisation
• IT department personnel are limited in capacity; focused on service delivery and prioritises based on business requirements with security as an addendum
• The focus of the security within the environment is typically focused on specific tactical requirements and not aligned to address critical security risks which may impact the overall environment
• Without a formal framework mandated by the executive a security governance discipline will not be attained and will always be best effort rather that a duty of care
Governance Challenges: People & Processes
Few organisations have the internal expertise and resources to handle the challenges inherent in providing and maintaining an adequate security posture
• Security is a relative new discipline and covers a multitude of IT functions− e.g., from Secure Coding practices to Risk Management
• Dedicated Security Officer / function unlikely in small to medium enterprises
• Security personnel with appropriate risk governance, management, architecture and technical skills can be expensive to recruit, hire and retain which is a challenging problem for organisations with limited IT budgets
Governance Challenges: Technology
Infrastructure
• Converged Network
• Costs (Firewalls, IPS, VPNs, Proxies, RAS, Enterprise Vulnerability Management)
Allocation of either excessive or insufficient funding to address residual risks resulting in inconsistent and inappropriate applications of technology security controls
Technology Competencies
• Deploying, learning and managing new security technology is challenging
Reactive investments resulting in disparate security measures / architecture to address ad-hoc business initiatives
Governance Challenges: Compliance
Top Down Risk Assessment Approach?
• Independent Audits, including: − Internal & External
− Special Audits
• Regulatory Drivers, including: − Privacy Act – National Privacy Principles
− Payment Card Industry Data Security Standards (PCI)
− Sarbanes-Oxley
− Basel II
− Federal Government
− Corporate Governance (Corporations Law)
Governance Challenges: Drivers for Change
Business Threats
• Loss of public confidence / reputation;
• Privacy loss;
• Direct business losses (e.g., Fraud);
• Business disruption; and
• Legal liability.
Governance Challenges: Drivers for Change
Vulnerabilities
• Software defects− (design & coding flaws)
• Configuration errors− (dangerous and unnecessary services, default configurations, administrative access
and administration errors)
Enterprise Case Study
IP Address RangesActiveAssets
RISK
High Med Low Informational
10.2.0.0 - 255.255 786 377 903 1169 1380
10.4.0.0 - 255.255 639 525 853 968 1117
10.59.0.0 - 255.255 993 402 416 772 800
10.114.0.0 - 255.255 107 31 84 416 349
10.120.9.0 - 102.170 256 46 116 411 245
Sub Total 1381 2372 3736 3891
3753
2781
Threat and Vulnerability Management Strategy
Defence in Depth Strategies
• Adopt and embed an organisational specific ISMS Framework
• Adopt a Vulnerability Management strategy
• Network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses, worms and spyware
• Inline Intrusion Prevention Systems
• Improve End Point Security
• Application specific firewalls or leverage application awareness of existing firewalls
• Deploy additional antivirus protection points
Michael Sentonas
Director, SE & Services - APAC
McAfee
Stop Managing Security.Start Managing Risk.
Inefficient Risk & Compliance Approach
Processes
• “Fire-drill” response lacks workflow
• Spreadsheet and Post-it
• Scan everything and fix everything approach
People
• Manual approach
• Multiple audiences
• Lack of coordination
Technologies
• Too many vendors
• Little integration
• Too much data
• Too many agents
• Too many consoles
Result? Wasted resources, subjective risk scores, lack of visibility and inconsistent report
Do you know which security risks you face?
If you can’t measure it, you can’t manage it
• Is your security spend reducing your risk exposure?
Our digital neighborhood keeps getting tougher and riskier every day:
• Threats are increasing in number – more than 2,000 a day
• More than 200,000 online threats over next two years, more than total of past 20 years – McAfee Avert Labs
• Hackers compete to have a “month of browser bugs”
• More high risk vulnerabilities released in 2006 than all of 05 & 06
• OS vendors taking months to release patches
Our speed of reaction determines how well we do against the “bad guys”
• We need to respond appropriately with proper testing and change control
Source: Computer Security Institute
Do you know what you are protecting?
Not all assets created equally
• If a server stops working the business stops
• If the reception computer stops the receptionist uses pen and paper
Do you focus on protecting the most valuable assets first?
Some threats may not impact you - other threats may be critical
Do you know which applications are on your computers?
• When SQL Slammer hit, many businesses were surprised to find SQL databases on their user’s computers not just on corporate servers
Consider:
♦Business value of the asset
♦Vulnerabilities that exist on each asset
♦Probability that a threat could compromise the vulnerability
♦Existence of a properly configured countermeasure
Risk = A x V x T
CM CM CM
Implement a Priority-Based approach
Effective VM allows you to always focus on the most critical assets first
The purpose should be to calculate risk
• Potential risk vs realised risk
Risk: correlate the known presence of a vulnerability… ….on a business-critical asset ….with a real-time threat exploiting that vulnerability ….considering any countermeasures in place
Automate the process to effectively streamline and create efficiencies
Risk Identification
Identify potential exposures
• Attack surface area
Create a inventory of all risk exposures
• Identify known vulnerabilities
• Classify vulnerabilities− boundary condition, input validation, etc.
Identify impact of vulnerability
• Impact (High, Medium Low) or use a numerical scale− How serious is the vulnerability?
Remote or local access User or privileged access
− What objects are exposed Files, directories, data, passwords, etc.
− Does it impact Confidentiality, Integrity, Availability?
Understand the threats you face
Unrealized Threats
• Who or what can exploit vulnerabilities
• Attack Vectors− Internet vs. Internal− Email propagation vs. one off attacks− Worms – Is it the next security Tsunami?
• Ease of exploitation− Is it trivial or theoretical?− Publicly available exploit
• Actors− Are you or your industry a target?
Realized
• Event driven threats− Already happened− IDS attacks− Firewall or host logs
Remediation / Resolution
Apply the Pareto Principle – the 80/20 rule
• Focus on the vital few not the trivial many
• 80% of your risk can be eliminated by addressing 20% of the issues
• Approach:− Address the greatest risks
− Strive for sufficient risk mitigation at the lowest cost
− Minimal impact to the business
Patching or Mitigate
• Impact on availability from a bad patch vs. the risk of not patching
• Patch or mitigate
• Recommendations:− QA security patches 24 hours
− Determine if there are wide spread problems
− Implement defense in-depth
Are you more secure today?
…than you were yesterday or last year?
Without changes your network will get less secure
Score your network - 0-100 security scoring system based on vulnerabilities and asset criticality
Ensure you have a clear risk score immediately visible as a statement of overall enterprise risk level
Include executive dashboards for comparing business units/regions, platforms and tracking/reporting key statistics
Stop Managing Security.Start Managing Risk.
Darren O’Loughlin:
darren.o’[email protected]
Michael Sentonas: