Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Security Triage
una valutazione della
sicurezza efficiente e
compatibile con il ciclo
aziendale, l'esperienza di
Poste Italiane
Fabio Massacci
& M. Giacalone, R. Mammoliti,
F. Paci, R. Perugino, C. Selli
Trento, 10 ottobre 2014
Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
1
Security Triage
una gestione della
sicurezza efficiente
e compatibile con il
ciclo aziendale,
l'esperienza di
Poste Italiane
v. 1.3a Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
2
Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Organizzatori e
sponsor evento
Sponsor e
sostenitori di
ISACA VENICE
Chapter
Con il
patrocinio di
Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
3
Fabio Massacci
Fabio Massacci è professore ordinario di Ingegneria
dell'Informazione all'Univ. di Trento. Per UNITN è stato
delegato del rettore per la Direzione Informatica per 7 anni
e vice-director for education per l’Italia dell'European
Institute of Technology - ICT Labs.
Collabora all'Innovation Lab di Poste Italiane a Trento. Ha
più di 150 pubblicazioni (h-index >30) e gestisce numerosi
progetti di ricerca tra accademia-Industria su security
management, security economics, e sull'impatto dei
progetti di ricerca sull'innovazione.
E' socio ISACA dal 2008 ed ha scritto sull'ISACA Journal
su security management e compliance.
Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
4
ABSTRACT
Poste Italiane is a large corpora-on offering integrated services in banking and savings, postal services, and mobile communica-on. Every year, it receives thousands of change requests for its ICT services. Applying to each and every request a security assessment ``by the book'’ (being it COBIT, ISO27001, BSI, IAS etc.) is simply not possible. We report the experience by Poste Italiane of a lean methodology to iden-fy security requirements that can be inserted in the produc-on cycle of a normal company. The process is based on surveying the overall IT architectures Security surveying and then a lean dynamic process Security Triage to evaluate individual change requests, so that important changes get the aSen-on they need, minor changes can be quickly implemented, and compliance and security obliga-ons are met. Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
5
Poste Italiane
• Largest Italian Employer Ÿ  banking, financial services, logis4c Ÿ  19 Billion Euro turnaround, 150.000 employees • Security and Compliance Regula-ons Ÿ  European Banking Regula4on, EU Privacy Laws, Credit Cards PCI, Criminal Laws (PI serves legal no4ces), etc. etc. • Thousands Services, Apps and Servers Ÿ  Every month 150+ change requests to IT Dept. Ÿ  Every year 2000+ change requests Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
6
An Example
• Internal Web Site for Tracking Parcels Ÿ  Includes an authen4cated web-­‐app to monitor single events • Requests (together with 200 other changes) 1.  Create a Dashboard on the screen 2.  Add a field about nature of parcel (e.g. “private customer”, “parking fine”, “legal no4ce”, etc.) 3.  Create a buTon to export Dashboard result to excel • Apparently not a major security problem Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
7
Change Implications are not
obvious
• Internal Web Site for Tracking Parcels Ÿ  Includes an authen4cated web-­‐app to monitor single events à not a big security problem • Requests (together with 200 other changes) 1.  Create a Dashboard on the screen 2.  Add field about nature of parcel (“private customer”, “parking fine”, “legal no4ce”, “credit card”) 3.  Create a buTon to export Dashboard result to excel • They do no have the same implica-ons! Ÿ  (2) makes data relevant to “Judicial Proceedings” profile à whole slate of security regula4ons applies Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
8
Security Assessment by the book
• (Security) Assessment is essen-al •  “Proper Requirements analysis saves significant money” •  “Security should be considered from the early phases” •  Bla bla, Blu Blu,… • ISO 27001, NIST-­‐800-­‐53, COBIT, BSI, IAS, EBIOS, … •  Input: Effort + Assessment Method •  Iden4fy Assets àThreats and Risks à Security Controls •  Ouput: Security Requirements for IT Systems • Ques-on: does Security Assessment “always” empirically deliver value? Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
9
Back of the Envelope
Computation
• 2000+ change requests x
• ISO 27001 questions x
Ÿ 
Ÿ 
Ÿ 
Ÿ 
Ÿ 
Ÿ 
300 … on process/people +
16 … on information +
250 … on applications +
200 ... on Sw components +
200 ... on infrastructures +
100 … on facilities
• 3minute each > 6.000.000 minutes
• Divide 60min x 40 hours week x 48 weeks =
• 52 Full-­‐-me equivalent/year à just for asking (and the work?) Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
10 10
Security Analysis by the book
(ISO 27001, COBIT, BSI etc.)
cannot empirically deliver
value at the pace of change
Get over it!
but what is the alternative?
v. 1.3a Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
11
Key Ideas
• NOT every change request deserves equally good (Security) Requirement analysis • Triage, noun, medicine Ÿ  the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of pa4ents or casual4es. • Survey, verb, architecture Ÿ  examine and record the area and features of (a large area of land) so as to construct a map, plan, or descrip4on. Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
12
Security Triage + Survey
• Security Survey (off-­‐line = lengthy) Ÿ  Build “map” of IT architecture (more than UML diagram!) à assign business/security perimeter (heart a(ack, stroke, mild concussion etc.) à iden4fy rela4ve requirements (adrenaline shot, NMR scan, paracetamol, etc.) • Security Triage (on-­‐the-­‐fly = quick) Ÿ  Make high level ques4ons on change requests à assess cri4cal features (chest pain, slurred speech, etc.) à decide order of security treatment (Red = Full SRE) Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
13
Questions for the Triage
• For every change requests security experts support change owner • Ask what kind of of data you have … and • …whether a compromise in ú  Confiden4ality, Integrity, Availability (how lbig), • … Lead to an impact on Ÿ  Reputa4on, Financial losses, commercial hedge (against compe44on), legal obliga4ons, opera4onal efficiency • FEW simple ques-ons for the “change owner” Ÿ  E.g. X hour of down4me (availability) may lead to a minor/
major/significant/business cri4cal loss of reputa4on • Security experts determine security perimeters and cri-cality (1-­‐5) based on answers Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
14
Empirical Measures
30
High
D16
25
ISRM
20
D17
D04
15
D08
10
Ÿ  If change owners don’t understand ques4ons they are call back the security team to answer Ÿ  If you ask wrong ques4ons Change owner may 4ck “no security analysis needed” D05
D06
D12
D03
D10
D18
D13
D15
D21
D01
D11
D09
C5
C1
High−Medium
D20
D14
C2
C4
C3
Low
Medium−Low
Medium
D22
5
Mean of Effort to Perform the Security Assessment
• Does it saves -me? • Does it correctly iden-fy perimeters? • That’s not obvious à the actual ques-ons makes a huge difference D19
D07
• Wilcoxon-­‐test says yes… DEPT
ANALYSIS
IMPACT
Factors
Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
15
Key Takeaways
• (Security) Triage Ÿ  determines which requests get “high quality” Assessment and which ones “default” one • (Security) Survey Ÿ  background for decision (avoid overkilling and underes4ma4ng) providing “template’’ assessment Ÿ  dynamically updated ader each change requests • It empirically works! And can be adopted on every 2000+ change requests Ÿ  Pilot: from 10-­‐40 days/request à 5 days/request and shrinking… Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
16
Grazie per l’attenzione!
• Poste Italiane S&T Ÿ  hTp://www.poste.it Ÿ  DistreTo Cybersecurity ú hTp://www.distreTocybersecurity.it • University of Trento -­‐ Security Ÿ  hTp://securitylab.disi.unitn.it Ÿ  [email protected] Ÿ  Seconomics Project ú hTp://www.seconomicsproject.eu Titolo titolo -
autore
10.10.2014 - Trento - ISACA VENICE Chapter
17