Security Management 6 March 2014 PRESENTED BY HANK GREEN Security Management How do widely dispersed project teams collaborate safely and securely? ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ What’s Changing Typical Security Environments Five Fundamental Challenges Real World Situation Simple Solutions to a Complex Problem Physical Security The Insider Threat Questions & Answers What’s Changing Increasing reliance on the Internet (Cloud) as a data access platform The continuing evolution of information and technology demands a high degree of integration to provide relevant and effective capabilities, to include a highly trained and motivated workforce. Organizations need real-time access to information and applications ◦ Global project teams ◦ Time zone differences ◦ Limited on-site network infrastructure Access for project teams cannot disrupt security of internal network or sensitive data Internal IT groups already overly taxed defending what’s behind the organization’s firewall Multi-layered information access across industries like financial services, construction, government, coalition partners, energy, heavy equipment and manufacturing is increasing Typical Office Security Environment Public Internet Hacker Hacker Typical Firewall Office Network External Access Security Environment Hacker Business Partners Office Workers Hacker External Firewalls Internal Firewalls Public Internet Shared Access Network Five Fundamental Challenges Is there a focus regarding data/application sharing? ◦ IT must make it all happen? ◦ Outsource everything? If not everything, what can or can’t be outsourced. Time & money: the cost of security, expertise & time to deploy ◦ Most IT professionals are trained at defending the internal network from external threats ◦ The insider threat is becoming more prevalent ◦ Providing filtered access is a new challenge, requiring familiarity with different approaches and technologies User simplicity ◦ Technologies that may be routine to IT professionals are complex and cumbersome to the average user ◦ Installing/Configuring/Accessing VPN’s ◦ Sharing Files with Corporate FTP Sites Managing the system: wrong person – wrong task ◦ Project Managers know the applications but don’t know IT ◦ System’s Administrators know IT, but don’t know project management Support ◦ Geography and time zones, along with distant support (using equipment and applications not maintained by your IT department) make support by internal IT a nightmare Real World Situation Security — Granting access to users outside the protected organization network — Access from countries where the governmental infrastructure is totally different from our own — Working with multiple governmental agencies and users — The security requirements of project require high technology, high encryption and procedures beyond the scale typically deployed by your organization Support — Supporting external users from other organizations is a big concern — Supporting software being deployed remotely is also a concern. How do you support software with users that are 5,000 miles away? — Time zone challenge < At 10:00 a.m. local time, but its 3:00 a.m. EST. Supporting remote users throughout their work day would require hiring an IT staff that worked after hours basically 7 days a week. > Real World Situation Possible solution – Outsourcing may not be a cost effective option — Decisions: < Can we do it? Should we do it? If we don’t, impact? < Project management is business-critical bordering on mission-critical — Time & Cost evaluation < Is direct costs to outsource less, capital expenses could be eliminated < Deployment with outsourced solution could happen in a matter of days vs. 2-3 months — User Simplicity & System Management < Deployment through outsourcing could eliminate need for VPN’s or client side configurations < Outsourced applications enable Project Managers to create/modify/delete users remotely — Support < Application supported 24 x 7 while maintaining network security - Priceless Simple Solutions to a Complex Problem Evaluate business-critical vs. mission-critical ◦ Determine business objectives and define which data/applications are mission-critical and which are business-critical ◦ Identify security requirements and the impact of not being able to access your applications ◦ Combination of both, mission-critical applications identified as revenue generating, while business-critical are time-saving. Evaluate costs to deploy ◦ Time ◦ Do I have adequately trained IT resources with appropriate experience in both security infrastructure technology as well as application technology who can manage this system? ◦ How long will it take to deploy the security infrastructure and then to deploy access to my applications? ◦ Look at expenses both for application delivery and enhanced security environment Simple Solutions to a Complex Problem Decision ◦ You’ve selected a great management application, but ensure it is easy to use AND access! ◦ It’s simple, but is it secure? What do users and IT have to do to make it secure? Right person – right task ◦ Ensure you don’t have to get an IT support ticket every time you want to add/delete/modify a user ◦ Remember, you invest in software to save time & money, not waste time with infrastructure challenges Who’s on support? ◦ Everyone has a support offering, but ensure your solution can consolidate who owns what. Too many pieces of the puzzle is detrimental to any organization ◦ If you are time-zone challenged, evaluate the costs of off-hours support and how that would be handled internally Physical Access Security Establishing Perimeters Implementing and Maintaining a System, Equipment, Procedures Defensive Depth, Universal Application Monitoring / Detection / Response Defensive Depth Multiple barriers to breach: make an intruder work harder Multiple levels, multiple techniques Multiple levels of monitoring and detection Introduce random supplemental checks Penetration tests 12 Universal Application Every time Every person Every control point Weekdays, nights and weekends Why: keeps the “bright line” between authorized and unauthorized 13 Monitoring/Detection/ Response Monitoring: what conditions, when Detection: manual, automatic, alarms; who is notified? Response: √Who, what, when √How contacted √Logistics and SLA Failure in any area “breaks the chain” of response 14 Common Intrusion Techniques “Piggy-backing” Poor housekeeping of access privileges • Terminated employees • Transferred employees “I have a delivery for Mr./Ms. X.” Concealment within interior protected areas Exploitation of known system flaws 15 WHAT YOU ALREADY KNOW Good Things: • Card readers and physical access control systems • Cameras • Locked doors Bad Things: • Piggybacking • Easy-to-guess passwords • Inattention of happenings in the area No need to hear that again 16 WHAT YOU MAY NOT KNOW... Facilities & Security co-dependencies How they affect the enterprise risk picture How formal risk assessment techniques are emerging as tools to reduce critical facilities risks 17 3 THINGS TO TAKE AWAY Coordinate Facilities and Security before investing in reliability and improvements - or waste your resources How? Get everyone on the same page with common language The language of formal risk assessment techniques does this very well; it’s worth taking time to learn 18 SECURITY & FACILITIES SECURITY NEEDS FACILITIES Surveillance & Access Control need power Cameras need light Guard force needs decent environment just like everyone else FACILITIES NEEDS SECURITY Extra eyes and ears for building problems Help screen visiting technicians Reduce tampering with building systems 19 Protective Measures Awareness is the key! • Know the neighbors and any vehicles routinely parked near your home/office •Know what is common in your workplace. What is out of place •Observe your environment – clothing? Mannerisms? •Make mental note of suspicious or out-of-place individuals or incidents Your organization is equipped with leading edge technology and you have the best skilled workers to carry out your organization’s mission, but STOP! You are now faced with a Catch 22 situation. THE INSIDER THREAT A catch-22 is a paradoxical situation from which an individual cannot escape Insider Threats and Indicators The insider threat focuses on the employee who may be disgruntled and unhappy with his job relationship, but beyond that also takes on added anti-ideas and sympathies. Indicators should be developed to help identify those people who may not just be unhappy with their job, but ready to take violent action against their fellow co-workers and peers. Most people don’t start their jobs hating them and in most cases, even if one dislikes their job, the discontent is either managed or the person moves on. Care must be taken to distinguish between legitimate gripes and passing complaints in comparison to long term, on-going disillusionment, opposition to, or hatred of the job, the co-workers or the organization. Summary Threats to information security that are unique to physical security. Proper measures in place to protect personnel, networks and assets. Key physical security considerations at a facility. Physical security monitoring components (Ingress/Egress) Essential elements of access control Fire safety, fire detection, and response Importance of supporting utilities, especially use of uninterruptible power Countermeasures to physical theft of assets REMINDER..........”Security is Everyone’s Responsibility” Questions? Contact Information: Hank K. Green Phone: DSN 315-243-3696, Intl 81-468-16-3696 Email: hank.green@fe.navy.mil