1. 4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Emerging Threats and the Call for Convergence in Security Stephen Cobb, CISSP Cobb Associates

2. cobbassociates.com Copyright 2007 Stephen Cobb Slide 2 of 18 The official agenda Current and future threats to information assets Developments in information security laws and regulations Desirable characteristics and roadmap to achieve a more comprehensive and secured infrastructure for the enterprise Implications of security convergence and how it may improve efficiency and reduce costs

3. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 3 of 18 A slightly different agenda The roadmap comes first (and last) Developments in information security laws and regulations Current and future threats to information assets Security convergence and how it may reduce costs and improve security Value of assets Logical Physical What portion of total asset value of the enterprise is information?

4. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 4 of 18 Roadmap to achieve more comprehensive and secured infrastructure for an enterprise Charting a path begins with assessing the risks –What are your information assets? –What are the main threats to those assets? –What is the relative probability of those threats? –What would be the impact on the enterprise of the higher probability threats materializing? Next is policy that addresses the threats –Failure to update policies can cause big problems Then come procedures to implement the policy –Don’t get technical until you have policies and procedures

5. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 5 of 18 Implementation is not the end of it Don’t forget the people –Administrators –Users –Customers They all need training and awareness Then you need pro-active management of the secured infrastructure And then you need to repeat the process

6. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 6 of 18 Developments in information security laws and regulations: must be monitored Prosecutions tend to come after the technology has been deployed –US Federal Trade Commission v. Eli Lilly But laws may force defensive changes –California security breach notification law Laws can mandate standards, sometimes across borders –Sarbanes-Oxley, HIPAA, anti-terrorism, 2-factor Industry self-regulation –ISO 17799, credit card rules

7. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 7 of 18 Current and future threats to information assets – the threat cloud viruses Trojans worms phishing Spear-phishing spam keystroke loggers removable media buffer overflows eavesdropping rogue APs bogus APs zombies botnets PDAs USB keys spies identity thieves OS holes application holes logic bombs VoIP & WiFi holes fire & flood allowed paths bad actors

8. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 8 of 18 Current and emerging areas of concern Mobile malicious code still very active –Code to create zombies, gather personal data Spam continues to choke servers –Users still falling for phishing attacks End point security increasingly threatened –Increased mobility, use of wireless, smart phones –Increased channels, IM, RSS, SMS, blogs, web apps Insider threats increasingly dangerous due to –More channels, smaller media and devices –More bad actors, more targets, better monetization

9. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 9 of 18 Another way to view threats: Actors >>> Actions >>> Targets Same old “hackers” Un-ethical competitors Freelance criminals Organized criminals Regulatory bodies Wider array of tools than ever Widespread broadband connectivity Ever more allowed paths Relative lack of sophistication among users Accounts, customers, trade secrets Personally identifiable information Fueled by a booming global market in stolen data

10. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 10 of 18 Response? Monitor and control all connections, devices, users, premises You need all the standard connection controls: –Intrusion detection, intrusion prevention, filtering, firewalls, and a response plan Harden endpoints and check devices at perimeter: NAC = Network Admission Control Users need to be authenticated at all times, but also need to be monitored once admitted Background checks plus ongoing evaluation Premises must have appropriate access controls

11. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 11 of 18 Sound familiar? Consider the parallels A response plan, devices checked at perimeter, user authentication, monitoring, background checks, ongoing evaluation, appropriate access controls This sounds a lot like physical security –Which is a lot more than guns/guards/gates –Inventory control, site security, investigations –Forensics, law enforcement liaison

12. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 12 of 18 Security convergence can mean improved efficiency and reduced costs This is a hot trend, something that some people are talking about, others are doing The idea? Closer cooperation between physical security and logical security Typically handled by two separate entities Could you merge some or all of their functions in your enterprise? Would it create a more secure enterprise?

13. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 13 of 18 First thing to note: this is not new “Physical security is the most basic level of security. This is important to bear in mind as you get further into data and program security.” “The safety of an organization's personal computer equipment and the data stored therein depends upon the organization taking appropriate steps to secure the premises.“ –The Stephen Cobb Guide to PC & LAN Security, 1992

14. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 14 of 18 Second thing to note: results may vary There is still no ‘standard’ structure for information security management The practical benefits of convergence to your enterprise will probably be determined by the –Type of business you are in –Structure of your company –Personality of key decision makers

15. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 15 of 18 How security convergence might work Cross-train physical / logical security staff Create common reporting entity Map areas of expertise, concerns, cuts –E.g. Screening of new hires Law enforcement background better than HR or IT –E.g. Employee identification Use for site access, system access, monitoring –E.g. Incident response Physical security needs to be involved regardless

16. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 16 of 18 Why it might make sense Better prevention –Spotting bad actors, anomalous activity, warning signs, weak points Better detection –Alarms, 7x24 presence, employee monitoring Better response –Coordinated incident response is required –Investigations and forensics often require combined logical and physical security skills Better coordination—avoiding conflicts, waste

17. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 17 of 18 Potential obstacles to security convergence May not fit business model –Use of IT varies by sector Turf wars –Resource inequality –IT pay versus guard pay Culture-clash –Different backgrounds –Skill sets –Outlook Value of assets Logical Physical What portion of total asset value of the enterprise is information?

18. Cobb Associates cobbassociates.com Copyright 2007 Stephen Cobb Slide 18 of 18 Thank you! Stephen Cobb cobbassociates.com sc at cobbassociates dot com