Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Do you know where your Information Security gaps really are

advertisement 
DO YOU KNOW WHERE YOUR
INFORMATION SECURITY GAPS ARE?
REDUX
Edward Vasko, CISSP
Originally Presented in 2003
What have we learned?
Disclaimer/Warning/Question
• This presentation was originally provided in 2003
• Stats provided are NOT fresh!!!
• Case studies are financially focused b/c of audience at the time
• In your opinion, how much had REALLY changed?
• Time to discuss that question at the end…
1
Agenda
• What is the current state of
Information Security?
• What are we forgetting?
• Policies, processes & procedures…Oh my!
• Case Study
• Ah, People…There’s the rub…
• Case Studies & Program Elements
• Is technology actually hurting your efforts?
• Case Studies
• Q&A
Current state of InfoSec (2003)
• Its bad out there…In the past 14 days alone…
•
•
•
•
•
“Internet Chat Seen as Tool To Teach Theft Of Credit Cards”
- New York Times
“Hacker Prevents Access to Microsoft”
- LA Times
“Hackers Attack Flaw in Cisco Equipment”
- LA Times
“University of Michigan Student Charged with Hacking”
- SC Magazine
“Web worm attacks Windows, spreads fast-experts”
- Reuters (8/11/03)
Current state of InfoSec (2003)
• Computer Security Institute (CSI) Statistics
• Organizational loss due to…
• Theft of proprietary info: $70M
• Denial of Service: $65M
• Viruses: $27M
• Website attacks
• 77% of respondents reported 2 or more attacks
• Most attacks either vandalism or denial of service
• 50% of those attacked DID NOT report it!
Current state of InfoSec (2003)
• Anti-virus vendors estimate 200 new
viruses/strains on the Net each month!
• CERT Statistics (Q1-Q2 of 2003 alone)
• 76,404 security incidents
• 1,993 vulnerabilities identified
• New stats coming out all the time to show how
bad it is…
• www.gocsi.org (Crime & Security Stats)
• http://www.cert.org/stats/cert_stats.html (Carnegie
Mellon)
• www.securitystats.com (Lots of links from Anti-virus,
web defacements and more!)
Current state of InfoSec (2003)
• Almost all stats point out one thing not mentioned in the
media…
• 80% of all security incidents occur within an organization’s
boundaries
What are
we forgetting?
These are the
traditional areas of
focus for InfoSec
•Policies
•Procedures
•Regulations
Technology
Process
Applications
•Networks
•Systems
•Databases
•Web
•Telephone
•…
“New” area
for InfoSec
People
•Awareness
•Education
What are we forgetting?
• What good are “Policies & Procedures” if no one follows
them?
• What good is technology if everyone knows how to
bypass it…Or, it doesn’t work?
• What good is a system without people?
What are we forgetting?
• Who owns Information Security?
• What good is Information Security if I can walk in and take
what I want?
• The “critical chasm” we have to cross is where people,
process & technology meet…
What are we forgetting?
•Policies
•Procedures
•Regulations
Technology
Applications
•Networks
•Systems
•Databases
•Web
•Telephone
•…
Process
People
•Awareness
•Education
Policies, Processes & Procedures…Oh My!
• Do they represent your organization’s risk
levels and needs?
• What value do they provide…Really?
• How can we get people to follow them better?
Policies, Processes & Procedures…Oh My!
• Policy – General statement by senior management to
dictate what kind of behavior (security, regulatory, etc) is
acceptable within an organization.
• Process – Specifies at a high level the methods and
controls that an organization must follow in implementing
technology in an environment (e.g. HR to IT workflow
process).
• Procedures – Detailed step-by-step actions to achieve a
specific task.
Policies, Processes and Procedures…Oh My!
• Recognizing when your “P3’s” may no longer be
supporting your organization
• Recent acquisitions?
• How often are you updating P3’s?
• How quickly are you hiring people?
• How quickly are you expanding service lines?
• What is the impact to P3’s because of these
items?
Case Study 1 – Community Bank
• Five small acquisitions in a 12-month period of
time
• Barely had time to merge technology, let alone business
policies, processes and procedures
• Had not updated documented documentation in
over 2 years
• Communication disconnect between HR and
InfoSec
• No alerts when employees left
Case Study 1 – Community Bank
• Two incidents within 1 month changed
everything…
• Disgruntled IT sys admin left the organization
• Loss of knowledge capital
• Lack of procedures to prevent this loss
• Client complaints of employees watching ESPN on their
computers
• Loss of client confidence
• Out of date acceptable use policy
Case Study 1 – Community Bank
• Remediation of risk
• Updated P3’s to handle…
• Division of duties
• No one person had all the keys/knowledge
• Cross-training & cross knowledge transfer of IT admins
• Acceptable use of Internet Policy
• Limited use to business purposes only
• Worked with HR to enforce P3 violations
Policies, Processes and Procedures…Oh My!
• What’s the value of having P3’s?
• Traditionally
• Legal “CYA” needs
• Regulatory “CYA” needs
• In reality
• They reduce/mitigate risk and are just as important as the
technology/programs we implement
Ah, People…There’s the Rub
• Who are your InfoSec owners?
• Does InfoSec stop at Technology?
• What (non-technical) controls do you need?
Ah, People…There’s the Rub
• Questions to consider…
• Who owns InfoSec in your organization?
• How do InfoSec owners know they have ownership?
• What does InfoSec have control over (digital, paper)?
Case Study 2a – Small Credit Union
• AZ Branches and service centers
• Retail branches and Mortgage centers
• Prior to program implementation:
• Passwords of users openly shared even though policy
stated not to…
• Hard drives shared openly by users
• 75% of systems had high risk factors
• Passwords easily guessable
• Weak InfoSec controls in place
• Network completely flat across business lines
Case Study 2a – Small Credit Union
• What was at risk from our assessment?
• Client record privacy
• Financial data
• Personnel records
• Bad Regulator scores…
• What was the root cause?
• Lack of staff awareness of InfoSec ownership
Case Study 2a – Small Credit Union
• Awareness Program Implementation
• Large & small group sessions held
• Risks identified for employees
• Communication procedures created
• Employees made to role play through situations
• Continued education after session through “friendly reminders”
• Information posters placed up within buildings
• E-mail newsletter created to inform users
• Sent every month with updates and kudos
Case Study 2a – Small Credit Union
• Awareness Program Implementation
• Policies developed with management support
• Employees made to sign accepting/understanding policies
• Technology used to enforce
• Purposefully involved Human Resources & Legal Dept.
• Factors added to employee review
• Asked for department volunteers to act as points of
contact
• Increased likelihood of reporting issues
• Increased response for issues
Case Study 2b – Large National Bank
• InfoSec controls are not always technical in
nature…
• This stuff happens to the big guys as well…
• Services provided around the country
• 46 branches and service locations
• Retail and commercial services
• Mortgage services
• Merchant services
• E-banking
• 1200 employees around the country
• Growth primarily through acquisition
Case Study 2b – Large National Bank
• “Great Candy” for attackers…
• Hard outer shell…Great Perimeter network security
• Banner replacements for open ports
• Outsourced web services to well known, SAS-70 backed companies
• Proxy server in place for staff to utilize when connecting out
Case Study 2b – Large National Bank
• “Great Candy” for attackers…
• Soft, chewy center…Terrible internal and physical security
• Open network between lines of business
• Complete lack of physical security controls
• Mortgage service centers in particular
• Examples to follow
Case Study 2b – Large National Bank
• Physical controls were leveraged against the
bank’s information
• To “great” results for the attacker
• We infiltrated EVERY physical location without
breaking a sweat
• Branches included
• We were able to gather client and employee data right from the
desks of the information owners
• Offered lunch in one facility
• Terrible results for the bank…
Case Study 2b – Large National Bank
• Results
• Board approval of 14 InfoSec projects
• Make up for multiple years of ignoring the issue
• Millions of dollars are now being spent by this bank in
one large sum rather than spread out over appropriate
timeframes
• InfoSec controls for “soft, chewy center”
• P3 redevelopment
• Awareness and education
• Physical control re-vamping
Case Study 2b – Large National Bank
• What was at risk?
• Well, what wasn’t at risk may be better
• External attacks from the Internet was about it
Ah, People…There’s the Rub
• If history teaches us anything…
Ah, People…There’s the Rub
• What are the possible impacts to an organization
when there is no awareness & education?
• Lack of reporting
• Lack of knowing what is right and what is wrong
• People find ways around the controls within systems
• More controls, more technology, more complexity
Ah, People…There’s the Rub
• Awareness is not…
• Sending the “once-a-year” e-mail proclaiming a list of “Do’s & Do
not’s”
• Expecting people to remember something after being told 2, 5, or
20 times
Ah, People…There’s the Rub
• Awareness is when…
• Employees are aware of the risks
• Can identify & report them
• Employees have communications on risks
• Employees take an active role in InfoSec ownership
• Awareness is created through education
Ah, People…There’s the Rub
• Program Elements
• Assess current risk levels
• Top Management support
• Clear channels of communication
• Employees should feel empowered, not accused
• Make it fun
Is technology actually hurting?
• When does technology hurt your InfoSec
efforts?
• When should technology be used (and not)?
• How to integrate non-technical controls
into your infrastructure?
Is technology actually hurting?
• When does technology hurt your InfoSec efforts?
• When it’s not configured properly…
• When vendors place too much faith in their application
controls
• Application controls are the LAST thing an experienced attacker
will leverage
• When there is a cheaper, more efficient non-technology
control
• Tech for tech’s sake is actually a stake in the heart
Is technology actually hurting?
• When should you use technology (and not)?
• Core systems/data
• Couple with a strong incident response program
• To enforce a policy
• Password settings and awareness program
• To automate a process
• HR notifications of employee departures
• To make life “easier” without compromising the
organization
• Password resets leading to inadvertent denial of service
Case Study 3a – Credit Union processing system
• Lack of system controls leads to risky
environment
• FTP and Telnet access enabled (no SSH/SSL)
• File level permissions not secured
• Application not using Trusted Computing Base (TCB)
• These controls are lacking because the vendor
believes its application controls are enough
security
Case Study 3a – Credit Union processing system
• What are the vulnerabilities?
• Easy “side paths” for attackers to get in
• No need to go through the front door
• Once an attacker is in, easy elevation of privileges
• Little/no audit trail to cleanup so little/no recourse
• What are the risks?
• Exposed client data
Case Study 3b – In-house web application
• Bank client
• Providing services to commercial clients
• Demand from clients drove RAD project
• Had in-house “development team”
• No published Software Development Life Cycle (SDLC)
• Environment
• IIS as web environment
• VBScript/ASP for language
• SQL2000 for DB
• SSL for data integrity/confidentiality
• All this was on the same system…
Let’s get graphical…
Case Study 3b – In-house web application
• Lack of application/server controls
• No integrity/boundary checking on form data
• Example - “Hi there” for SSN
• Lead to multiple examples of buffer overflows
• Microsoft’s IIS not configured properly
• Security patches not up to date
• SQLServer and firewall had port 1433 open
• ‘sa’ password set to institutional name
• We owned their system in under 20 minutes
• Access to commercial client data
Is technology actually hurting?
• Implementation of proper SDLC
• Security checks
• Version controls
• Peer reviews
• New security architecture
• Separate DB server from App server
• Firewall rules changed to block 1433
• New non-technology controls put in place
• Change management
• Incident response
Summary
• Critical chasm impacts on InfoSec
• People, Process & Technology all need to work
together
• Everyone is an owner of InfoSec
• Determining levels of ownership is key
• Physical/operational controls have impact on
InfoSec
• Choose wisely…Not all technology is good
Q&A…
?
THANK YOU!
Questions?
edward.vasko@tvrms.com
Office: 480-840-1744
info@TVRMS.com
http://www.TVRMS.com
Related documents
Introduction
Introduction
mis311_infosec2012
mis311_infosec2012
Introduction
Introduction
mis311_infosec2011
mis311_infosec2011
Chapter 1 - School of Information Sciences
Chapter 1 - School of Information Sciences
Chapter 5
Chapter 5
Download
advertisement