Presentation on theme: "How to secure an information security environment January 15, 2014"— Presentation transcript:
1 How to secure an information security environment January 15, 2014 Lance P. Hawk CFE, CGEIT, CISA, CISM, CRISC
2 About the speakerLance Hawk has over 30 years of professional experience in various fields of computer security. He isowner and operator of Computer Forensics and IT Security Solutions, LLC, specializing in computerforensics, threat management and IT security solutions.Lance manages and directs an IT Security, Risk and Compliance program for a local internationalmanufacturing company serving as an Information Security Manager and Chief Information SecurityOfficer.He is proficient in the preservation, identification, extraction, recovery, interpretation, anddocumentation of computer evidence, including the rules of evidence, legal processes, integrity ofevidence, and the factual reporting of the information found. Lance serves as a consultant and trainer inthe areas of computer security and computer forensics to law enforcement, government, industry andacademia. Previously Lance was the manager of computer forensics and global cyber investigations atAir Products and Chemicals, Inc. Served as Past President Philadelphia InfraGard (FBI and industrypartnership), Past President of the Information Systems Audit and Control Association and PastPresident of the Association of Certified Fraud Examiners chapters
3 Agenda Definitions Information Security Principles Security Enablers Information Security PolicySecurity Requirements and Priorities InputKey Success FactorsCOBIT 5ISSC, CISO, ISM RolesISO 27002Implementing Controls20 Essential Security Controls – sourceTarget Data Breach and Security Best Practices for PoS SystemsGood Sources of Cyber Security Information
4 DefinitionsFISMA - The Federal Information Security Management Act of 2002 recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cyber security and explicitly emphasized a "risk-based policy for cost-effective security.“NSA – No Such Agency ISSC vs. CISO vs. ISMNIST vs. COBIT vs. ISO (International Organization for Standardization – successor to BS17799)
5 Information SecurityEnsures that within your workplace, information is protected againstdisclosure to unauthorized users (confidentiality), improper modification(integrity) and non-access when required (availability).Confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information.Integrity means guarding against improper information modification or destruction, and includes ensuring information non-repudiation (an authentication service that provides proof of the integrity and origin of data) and authenticity.Availability means ensuring timely and reliable access to and use of information.The steps to successfully securing information security at your workplace will consist of adopting and successfully implementing information security principles!
6 Information Security Principles 1. Support the business2. Defend the business3. Promote responsible information security behavior
7 Information Security Principles 1. Support the business:Focus on the business to ensure that information security is integrated into essential workplace activities.Deliver quality and value to stakeholders to ensure that information security delivers value and meets business requirements.Comply with relevant legal and regulatory requirements to ensure that statutory obligations are met, stakeholder expectations are managed, and civil or criminal penalties are avoided.Provide timely and accurate information on information security performance to support business requirements and manage information risk.Evaluate current and future information threats to analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken.Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security.
8 Information Security Principles cont. 2. Defend the business:Adopt a risk-based approach to ensure that risk is treated in a consistent and effective manner.Protect classified information to prevent disclosure to unauthorized individuals.Concentrate on critical business applications to prioritize scarce information security resources by protecting the business applications in which a security incident would have the greatest business impact.Develop systems securely to build quality, cost-effective systems on which business people can rely.3. Promote responsible information security behavior:Act in a professional and ethical manner to ensure that information security-related activities are performed in a reliable, responsible and effective manner.Foster an information security-positive culture to provide a positive security influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact.
9 Security Enablers Ethics and culture relating to information security Applicable laws, regulations and policiesApplicable contractual regulationsExisting policies and practicesMaturity level of the current information security enablersInformation security capabilities and available resourcesIndustry practicesExisting and mandatory standards and frameworks regarding information security
11 Information Security Policy Policy MUST be driven by a controls objectives from COBIT, ISO, etc.Policies provide more detailed guidance on how to put controls into practice and how they will influence decision making.Risk management policy (ISO)Information security policy (ISO)Acceptable use policy*Organization of information security policy (ISO)Asset management policy (ISO)Personnel information/Human Resources security policy (ISO)Physical and environmental information security policy (ISO)Communications and operation management policy (ISO)Access control policy (ISO)Information systems acquisition, software development and maintenance policy (ISO)Incident management policy (ISO)Business continuity and disaster recovery policy (ISO)Compliance policy (ISO)Vendor management policy (Human Resources)Mobile device policy (Access Control/Acceptable Use)Guest wireless policy (Access Control/Acceptable Use)
12 Wearable Device Policy Google Glass/Pebble Smartwatch Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't trigger a countdown to global doom, but it does highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included
13 Are you both bald and lost. And want to run a. PPT like this Are you both bald and lost? And want to run a .PPT like this? Then, I have a deal for you…
14 Sony Smart WigThere are three versions of the wacky Japanese invention: 1) A built-in laser pointer for .PPT presentations (by tugging the right sideburn and go back a page by pulling on the left) 2) One that guides the user to his or her destination using vibrations and an onboard GPS, and 3) Keeps track of body temperature and blood pressure
15 Security Requirements and Priorities Input Business plan and strategic intentionsManagement styleInformation risk profileRisk appetite
16 Key Success FactorsThe direction and mandate for the information security initiative, as well as visible ongoing commitment and support provided by top managementThe information security initiative to understand the business and IT objectives supported by all partiesEffective communication and enablement of the necessary changes ensuredCOBIT 5 for Information Security and other supporting good practices and standards (ISO 27002)that are tailored to fit the unique context of your businessAdequate funding and resource commitmentAdequately skilled human resources who can implement the enablersFocus on quick wins and prioritize the most beneficial improvements that are easiest to implement
17 COBIT 5COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from information technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use.COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.
19 Governance vs. Management The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes.Governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
21 COBIT BenefitsReduced complexity and increased cost-effectiveness due to improved and easier integration of information security standards, good practices and/or sector-specific guidelinesIncreased user satisfaction with information security arrangements and outcomesImproved integration of information security in the enterpriseInformed risk decisions and risk awarenessImproved prevention, detection and recoveryReduced (impact of) information security incidentsEnhanced support for innovation and competitivenessImproved management of costs related to the information security functionBetter understanding of information security including critical security controls
23 Control Recommendations Example 7 – Wireless Device Control Quick Wins - Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Deny access to those wireless devices that do not have such a configuration and profile.Visibility/Attribution - Perform a site survey to determine what areas within the organization need coverage. After the wireless access points are strategically placed, the signal strength should be tuned to minimize leakage to areas that do not need coverage.Configuration/Hygiene - Register all mobile devices, including personnel devices, prior to connecting to the wireless network. All registered devices must be scanned and follow the corporate policy for host hardening and configuration management.Advanced - Configure all wireless clients used to access private networks or handle organization data in such a way that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by the organization.Best in Class – generally with Gartner or Forester or SANS or Tech Republic input.
24 Target HackTarget hack was against a PoS system using malware called Dexter.Guest information separate from the payment card data previously disclosed -- was taken during the data breach against customers using DB or CR card 11/27 – 12/15This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or addresses combine with the credit card data total up to 110 million individuals.PoS hardware consists of the device used by customers to swipe their credit or debit card, and the computing equipment electronically attached to the devicePoS software are the applications that process the data found on the credit or debit card’s magnetic stripe. Key information the software looks for is stored on two tracks:Track one: Cardholder’s name and account numberTrack two: Credit-card number and expiration dateDexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and two dataNeed to block the following in outgoing firewall rule sets!11e d7fbea1ab8f9aa7a coma80c6fa d23765cda4.come7dce8e4671f8f03a040d08bb08ec07a.come7bc2d0fceee1bdfd691a80c783173b4.com815ad1c058df1b7ba9c0998e2aa8a7b4.com67b3dba8bc eb77249db32e.comfabcaa b68aa e613.comCall if you “qualify”The primary risk is increased exposure to consumer scams, such as phishing, web scams and social engineering including via texts!
25 Your Risk and Target’s Response Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, Activation codes must be redeemed by April 30, 2014.Call if you have any questionsThe primary risk is increased exposure to consumer scams, such as phishing, web scams and social engineering including via texts!
27 Patching a PoS System Most are windows based Patch deployment is slow or non-existent because of the many government and industry regulations; if a company supplying PoS systems updates or changes their product and the change reaches a certain threshold, it has to go through an approval processAnother reason for slow patch rollout is management has learned to error on the side of caution when it comes to updates, remembering when it was anyone’s guess whether an update installed correctly, bricked workstations, or brought down mission-critical serversTherefore, PoS systems are “ripe” for attack
28 Security Best Practices for PoS Systems Use Strong Passwords: During the installation of POS systems, installers often use the default passwords for simplicity on initial setup. Unfortunately, the default passwords can be easily obtained online by cybercriminals. It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names and complex passwords.Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.Install a Firewall: Firewalls should be utilized to protect POS systems from outside attacks. A firewall can prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.Use Antivirus: Antivirus programs work to recognize software that fits its current definition of being malicious and attempts to restrict that malware’s access to the systems. It is important to continually update the antivirus programs for them to be effective on a POS network.Restrict Access to Internet: Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats existing on the internet. POS systems should only be utilized online to conduct POS related activities and not for general internet use.Disallow Remote Access: Remote access allows a user to log into a system as an authorized user without being physically present. Cyber Criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.
29 Sources NIST - http://csrc.nist.gov/publications/PubsSPs.html ** SP rev4 Security and Privacy Controls for Federal Information Systems and OrganizationsSP rev2 Computer Security Incident Handling GuideSP Log ManagementSP Wireless ControlCOBIT 5 –ISOSANS –Incident Responseand for industrial control systems …https://ics-cert.us-cert.gov/Standards-and-References