Security Triage
advertisement
Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Security Triage una valutazione della sicurezza efficiente e compatibile con il ciclo aziendale, l'esperienza di Poste Italiane Fabio Massacci & M. Giacalone, R. Mammoliti, F. Paci, R. Perugino, C. Selli Trento, 10 ottobre 2014 Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 1 Security Triage una gestione della sicurezza efficiente e compatibile con il ciclo aziendale, l'esperienza di Poste Italiane v. 1.3a Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 2 Sicurezza Ciberne-ca Nazionale: consapevolezza e autovalutazione Organizzatori e sponsor evento Sponsor e sostenitori di ISACA VENICE Chapter Con il patrocinio di Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 3 Fabio Massacci Fabio Massacci è professore ordinario di Ingegneria dell'Informazione all'Univ. di Trento. Per UNITN è stato delegato del rettore per la Direzione Informatica per 7 anni e vice-director for education per l’Italia dell'European Institute of Technology - ICT Labs. Collabora all'Innovation Lab di Poste Italiane a Trento. Ha più di 150 pubblicazioni (h-index >30) e gestisce numerosi progetti di ricerca tra accademia-Industria su security management, security economics, e sull'impatto dei progetti di ricerca sull'innovazione. E' socio ISACA dal 2008 ed ha scritto sull'ISACA Journal su security management e compliance. Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 4 ABSTRACT Poste Italiane is a large corpora-on offering integrated services in banking and savings, postal services, and mobile communica-on. Every year, it receives thousands of change requests for its ICT services. Applying to each and every request a security assessment ``by the book'’ (being it COBIT, ISO27001, BSI, IAS etc.) is simply not possible. We report the experience by Poste Italiane of a lean methodology to iden-fy security requirements that can be inserted in the produc-on cycle of a normal company. The process is based on surveying the overall IT architectures Security surveying and then a lean dynamic process Security Triage to evaluate individual change requests, so that important changes get the aSen-on they need, minor changes can be quickly implemented, and compliance and security obliga-ons are met. Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 5 Poste Italiane • Largest Italian Employer banking, financial services, logis4c 19 Billion Euro turnaround, 150.000 employees • Security and Compliance Regula-ons European Banking Regula4on, EU Privacy Laws, Credit Cards PCI, Criminal Laws (PI serves legal no4ces), etc. etc. • Thousands Services, Apps and Servers Every month 150+ change requests to IT Dept. Every year 2000+ change requests Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 6 An Example • Internal Web Site for Tracking Parcels Includes an authen4cated web-­‐app to monitor single events • Requests (together with 200 other changes) 1. Create a Dashboard on the screen 2. Add a field about nature of parcel (e.g. “private customer”, “parking fine”, “legal no4ce”, etc.) 3. Create a buTon to export Dashboard result to excel • Apparently not a major security problem Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 7 Change Implications are not obvious • Internal Web Site for Tracking Parcels Includes an authen4cated web-­‐app to monitor single events à not a big security problem • Requests (together with 200 other changes) 1. Create a Dashboard on the screen 2. Add field about nature of parcel (“private customer”, “parking fine”, “legal no4ce”, “credit card”) 3. Create a buTon to export Dashboard result to excel • They do no have the same implica-ons! (2) makes data relevant to “Judicial Proceedings” profile à whole slate of security regula4ons applies Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 8 Security Assessment by the book • (Security) Assessment is essen-al • “Proper Requirements analysis saves significant money” • “Security should be considered from the early phases” • Bla bla, Blu Blu,… • ISO 27001, NIST-­‐800-­‐53, COBIT, BSI, IAS, EBIOS, … • Input: Effort + Assessment Method • Iden4fy Assets àThreats and Risks à Security Controls • Ouput: Security Requirements for IT Systems • Ques-on: does Security Assessment “always” empirically deliver value? Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 9 Back of the Envelope Computation • 2000+ change requests x • ISO 27001 questions x 300 … on process/people + 16 … on information + 250 … on applications + 200 ... on Sw components + 200 ... on infrastructures + 100 … on facilities • 3minute each > 6.000.000 minutes • Divide 60min x 40 hours week x 48 weeks = • 52 Full-­‐-me equivalent/year à just for asking (and the work?) Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 10 10 Security Analysis by the book (ISO 27001, COBIT, BSI etc.) cannot empirically deliver value at the pace of change Get over it! but what is the alternative? v. 1.3a Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 11 Key Ideas • NOT every change request deserves equally good (Security) Requirement analysis • Triage, noun, medicine the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of pa4ents or casual4es. • Survey, verb, architecture examine and record the area and features of (a large area of land) so as to construct a map, plan, or descrip4on. Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 12 Security Triage + Survey • Security Survey (off-­‐line = lengthy) Build “map” of IT architecture (more than UML diagram!) à assign business/security perimeter (heart a(ack, stroke, mild concussion etc.) à iden4fy rela4ve requirements (adrenaline shot, NMR scan, paracetamol, etc.) • Security Triage (on-­‐the-­‐fly = quick) Make high level ques4ons on change requests à assess cri4cal features (chest pain, slurred speech, etc.) à decide order of security treatment (Red = Full SRE) Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 13 Questions for the Triage • For every change requests security experts support change owner • Ask what kind of of data you have … and • …whether a compromise in ú Confiden4ality, Integrity, Availability (how lbig), • … Lead to an impact on Reputa4on, Financial losses, commercial hedge (against compe44on), legal obliga4ons, opera4onal efficiency • FEW simple ques-ons for the “change owner” E.g. X hour of down4me (availability) may lead to a minor/ major/significant/business cri4cal loss of reputa4on • Security experts determine security perimeters and cri-cality (1-­‐5) based on answers Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 14 Empirical Measures 30 High D16 25 ISRM 20 D17 D04 15 D08 10 If change owners don’t understand ques4ons they are call back the security team to answer If you ask wrong ques4ons Change owner may 4ck “no security analysis needed” D05 D06 D12 D03 D10 D18 D13 D15 D21 D01 D11 D09 C5 C1 High−Medium D20 D14 C2 C4 C3 Low Medium−Low Medium D22 5 Mean of Effort to Perform the Security Assessment • Does it saves -me? • Does it correctly iden-fy perimeters? • That’s not obvious à the actual ques-ons makes a huge difference D19 D07 • Wilcoxon-­‐test says yes… DEPT ANALYSIS IMPACT Factors Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 15 Key Takeaways • (Security) Triage determines which requests get “high quality” Assessment and which ones “default” one • (Security) Survey background for decision (avoid overkilling and underes4ma4ng) providing “template’’ assessment dynamically updated ader each change requests • It empirically works! And can be adopted on every 2000+ change requests Pilot: from 10-­‐40 days/request à 5 days/request and shrinking… Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 16 Grazie per l’attenzione! • Poste Italiane S&T hTp://www.poste.it DistreTo Cybersecurity ú hTp://www.distreTocybersecurity.it • University of Trento -­‐ Security hTp://securitylab.disi.unitn.it Fabio.Massacci@unitn.it Seconomics Project ú hTp://www.seconomicsproject.eu Titolo titolo - autore 10.10.2014 - Trento - ISACA VENICE Chapter 17
