Green - Security Management

advertisement
Security
Management
6 March 2014
PRESENTED BY HANK GREEN
Security Management
How do widely dispersed project teams collaborate safely and securely?
◦
◦
◦
◦
◦
◦
◦
◦
What’s Changing
Typical Security Environments
Five Fundamental Challenges
Real World Situation
Simple Solutions to a Complex Problem
Physical Security
The Insider Threat
Questions & Answers
What’s Changing
Increasing reliance on the Internet (Cloud) as a data access platform
The continuing evolution of information and technology demands a high
degree of integration to provide relevant and effective capabilities, to
include a highly trained and motivated workforce.
Organizations need real-time access to information and applications
◦ Global project teams
◦ Time zone differences
◦ Limited on-site network infrastructure
Access for project teams cannot disrupt security of internal network or
sensitive data
Internal IT groups already overly taxed defending what’s behind the
organization’s firewall
Multi-layered information access across industries like financial services,
construction, government, coalition partners, energy, heavy equipment
and manufacturing is increasing
Typical Office Security
Environment
Public Internet
Hacker
Hacker
Typical Firewall
Office Network
External Access Security
Environment
Hacker
Business
Partners
Office
Workers
Hacker
External Firewalls
Internal Firewalls
Public Internet
Shared Access Network
Five Fundamental Challenges
Is there a focus regarding data/application sharing?
◦ IT must make it all happen?
◦ Outsource everything? If not everything, what can or can’t be outsourced.
Time & money: the cost of security, expertise & time to deploy
◦ Most IT professionals are trained at defending the internal network from external threats
◦ The insider threat is becoming more prevalent
◦ Providing filtered access is a new challenge, requiring familiarity with different approaches and technologies
User simplicity
◦ Technologies that may be routine to IT professionals are complex and cumbersome to the average user
◦ Installing/Configuring/Accessing VPN’s
◦ Sharing Files with Corporate FTP Sites
Managing the system: wrong person – wrong task
◦ Project Managers know the applications but don’t know IT
◦ System’s Administrators know IT, but don’t know project management
Support
◦ Geography and time zones, along with distant support (using equipment and applications not maintained by
your IT department) make support by internal IT a nightmare
Real World Situation

Security
— Granting access to users outside the protected organization network
— Access from countries where the governmental infrastructure is totally different from our own
— Working with multiple governmental agencies and users
— The security requirements of project require high technology, high encryption and procedures
beyond the scale typically deployed by your organization

Support
— Supporting external users from other organizations is a big concern
— Supporting software being deployed remotely is also a concern. How do you support software with
users that are 5,000 miles away?
— Time zone challenge
< At 10:00 a.m. local time, but its 3:00 a.m. EST. Supporting remote users throughout their work day would require
hiring an IT staff that worked after hours basically 7 days a week. >
Real World Situation

Possible solution – Outsourcing may not be a cost effective option
— Decisions:
< Can we do it? Should we do it? If we don’t, impact?
< Project management is business-critical bordering on mission-critical
— Time & Cost evaluation
< Is direct costs to outsource less, capital expenses could be eliminated
< Deployment with outsourced solution could happen in a matter of days vs. 2-3 months
— User Simplicity & System Management
< Deployment through outsourcing could eliminate need for VPN’s or client side configurations
< Outsourced applications enable Project Managers to create/modify/delete users remotely
— Support
< Application supported 24 x 7 while maintaining network security - Priceless
Simple Solutions to a
Complex Problem
Evaluate business-critical vs. mission-critical
◦ Determine business objectives and define which data/applications are
mission-critical and which are business-critical
◦ Identify security requirements and the impact of not being able to access
your applications
◦ Combination of both, mission-critical applications identified as revenue generating, while
business-critical are time-saving.
Evaluate costs to deploy
◦ Time
◦ Do I have adequately trained IT resources with appropriate experience in both security
infrastructure technology as well as application technology who can manage this system?
◦ How long will it take to deploy the security infrastructure and then to deploy access to my
applications?
◦ Look at expenses both for application delivery and enhanced security
environment
Simple Solutions to a
Complex Problem
Decision
◦ You’ve selected a great management application, but ensure it is easy to use AND
access!
◦ It’s simple, but is it secure? What do users and IT have to do to make it secure?
Right person – right task
◦ Ensure you don’t have to get an IT support ticket every time you want to
add/delete/modify a user
◦ Remember, you invest in software to save time & money, not waste time with
infrastructure challenges
Who’s on support?
◦ Everyone has a support offering, but ensure your solution can consolidate who owns
what. Too many pieces of the puzzle is detrimental to any organization
◦ If you are time-zone challenged, evaluate the costs of off-hours support and how that
would be handled internally
Physical Access Security
 Establishing Perimeters
 Implementing and Maintaining a System,
Equipment, Procedures
 Defensive Depth, Universal Application
 Monitoring / Detection / Response
Defensive Depth
Multiple barriers to breach: make an
intruder work harder
Multiple levels, multiple techniques
Multiple levels of monitoring and
detection
Introduce random supplemental checks
Penetration tests
12
Universal Application
Every time
Every person
Every control point
Weekdays, nights and weekends
Why: keeps the “bright line” between authorized
and unauthorized
13
Monitoring/Detection/
Response
Monitoring: what conditions, when
Detection: manual, automatic, alarms; who is
notified?
Response:
√Who, what, when
√How contacted
√Logistics and SLA
Failure in any area “breaks the chain” of response
14
Common Intrusion
Techniques
“Piggy-backing”
Poor housekeeping of access privileges
• Terminated employees
• Transferred employees
“I have a delivery for Mr./Ms. X.”
Concealment within interior protected areas
Exploitation of known system flaws
15
WHAT YOU ALREADY
KNOW
 Good Things:
• Card readers and physical access control systems
• Cameras
• Locked doors

Bad Things:
• Piggybacking
• Easy-to-guess passwords
• Inattention of happenings in the area
 No need to hear that again
16
WHAT YOU MAY NOT
KNOW...



Facilities & Security co-dependencies
How they affect the enterprise risk picture
How formal risk assessment techniques are
emerging as tools to reduce critical facilities
risks
17
3 THINGS TO TAKE
AWAY
 Coordinate Facilities and Security before
investing in reliability and improvements - or
waste your resources
 How? Get everyone on the same page with
common language
 The language of formal risk assessment
techniques does this very well; it’s worth taking
time to learn
18
SECURITY &
FACILITIES

SECURITY NEEDS FACILITIES
 Surveillance & Access Control need power
 Cameras need light
 Guard force needs decent environment just like
everyone else
 FACILITIES NEEDS SECURITY
 Extra eyes and ears for building problems
 Help screen visiting technicians
 Reduce tampering with building systems
19
Protective Measures
Awareness is the key!
• Know the neighbors and any vehicles routinely parked
near your home/office
•Know what is common in your workplace. What is out of
place
•Observe your environment – clothing? Mannerisms?
•Make mental note of suspicious or out-of-place
individuals or incidents
Your organization is equipped with leading
edge technology and you have the best
skilled workers to carry out your
organization’s mission, but STOP! You are
now faced with a Catch 22 situation.
THE INSIDER THREAT
A catch-22 is a paradoxical situation from which an individual cannot escape
Insider Threats and Indicators
The insider threat focuses on the employee who may be
disgruntled and unhappy with his job relationship, but
beyond that also takes on added anti-ideas and sympathies.
Indicators should be developed to help identify those people who may not
just be unhappy with their job, but ready to take violent action against their
fellow co-workers and peers.
Most people don’t start their jobs hating them and in most cases, even if
one dislikes their job, the discontent is either managed or the person moves
on. Care must be taken to distinguish between legitimate gripes and
passing complaints in comparison to long term, on-going disillusionment,
opposition to, or hatred of the job, the co-workers or the organization.
Summary
Threats to information security that are unique to physical security. Proper measures in
place to protect personnel, networks and assets.
Key physical security considerations at a facility.
Physical security monitoring components (Ingress/Egress)
Essential elements of access control
Fire safety, fire detection, and response
Importance of supporting utilities, especially use of uninterruptible power
Countermeasures to physical theft of assets
REMINDER..........”Security is Everyone’s Responsibility”
Questions?
Contact Information:
Hank K. Green
Phone: DSN 315-243-3696, Intl 81-468-16-3696
Email: hank.green@fe.navy.mil
Download