Published on

Convergence of Security 2008 IANS Midwest Information Security Forum

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. User Briefing Convergence of Security Bob Radvanovsky, Infracritical Allan McDougall, Evolutionary Security Management October 20-21, 2008 Midwest Information Security Forum Chicago, ILThe contents of this presentation are confidential and intended solely foruse by forum participants. Copyright © 2008 IANS . All rights reserved.
  2. 2. Introduction About Infracritical and Evolutionary Security Management  Infracritical and ESM were formed as a result of the need to establish and define standards and protocols for Critical Infrastructure Protection (CIP).  We’re one of the industrial leaders within the private sector, providing research to management, best practice capabilities, education and training, information sharing practices, and (most importantly) information security awareness programs to both private and public sectors throughout the United States, Canada and North America. About Bob Radvanovsky and Allan McDougall  Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers, and published authors on the subject (Bob: 4 books, Allan: 2 books). 2008 Midwest Information Security Forum 1
  3. 3. Convergence of Physical and Logical Infrastructure  Physical Security infrastructure (access control systems, CCVE, etc) has traditionally operated in isolation from other systems in order to maintain the confidence that the system has not been compromised. – As these systems become web-enabled, there is increasing concern that they can be subject to compromises such as hacking, spoofing, etc. – As these systems take up space within the network infrastructure, there is increasing concern that network assets are becoming single points of failure that can expose the whole organization to compromise. – Finally, there is increasing concern that as the complexity of these physical security systems increase, they can occupy increasing amounts of network resources (bandwidth) and become a business limiter. 2008 Midwest Information Security Forum 2
  4. 4. Convergence of Physical and Logical Infrastructure  Consider this diagram of a network enabled CCTV system spanning several locations  Each element assigned an IP  Do these infrastructure points allow for an attacker to control the infrastructure point or gain access through the infrastructure point? 2008 Midwest Information Security Forum 3
  5. 5. Solution Strategy  Build awareness and integrate Physical Security and IT Security communities into a common Asset Protection community paying particular attention to building a comprehensive awareness and capacity of personnel to work across domains. – Put forward a plausible vision – Manage expectations – Set achievable goals – Maximize the ability to first anticipate then detect and respond to emerging issues 2008 Midwest Information Security Forum 4
  6. 6. Key Steps  Key Activities: – A – Cross train personnel to build awareness – B – Small scale projects to build and proof interaction between communities – C – Ensure expert-driven contributions to improve effectiveness, reduce waste and identify possible avenues of risk  Key Resources – Visionary leadership – Cross training up to cross certification integrated into job expectations – Small scale test environment isolated from critical systems 2008 Midwest Information Security Forum 5
  7. 7. Results  Security personnel more aware of situations that allow the means and opportunity for threat agents to compromise the organization  Greater granularity of understanding of infrastructure at the enterprise level  Greater ability to achieve domain awareness in terms of facility security and trend analysis through automation 2008 Midwest Information Security Forum 6
  8. 8. Lesson #1: Manage Expectations  Just because technology exists doesn’t mean it’s appropriate to your environment – Security intrinsic to system commensurate to assets being protected – Tested, certified, or accredited?  Put a check and balance on new technology acquisitions ensuring that they are being proposed based on business lines – New technology should be linked to improvements in business processes or reductions in overhead – Closely monitor communities that constantly attempt to install the “latest and greatest”  Unnecessary collections of shiny things only attract trouble 2008 Midwest Information Security Forum 7
  9. 9. Lesson #2: Set a Central Change Management Authority  Senior Management Support – Early step in the consultation process – Mandatory step in approval process  Check and balance for integration of new technologies – Consistency (procurement, maintenance and disposal) – Modularity to ensure granularity (detail) and interoperability (compatibility) – Scalability in support of changing and evolving business requirements  Management of change means appropriately integrating tools to improve efficiency and effectiveness 2008 Midwest Information Security Forum 8
  10. 10. Lesson #3: Balance the Team  Do not allow Physical Security or IT Security to dominate – Symbiosis under the need to ensure effective and efficient business processes – Take advantage of knowledge bases across communities to ensure best possible solution  Appropriate Delegation – Prevent decisions without understanding risk – Ensure risk management includes consideration for all potentially impacted parties (including system and data owners where appropriate)  Reinforce the concept of individual success is dependent upon team success 2008 Midwest Information Security Forum 9
  11. 11. Lesson #4: Integrate Process Models for Integration  Similar to the COBIT Model – Plan and Organize based on business needs and ensuring the ability to prevent, detect, respond to and recover from security events – Acquire and Implement to ensure that modularity and scalability maintained while not exposing critical infrastructure to unknown risks – Deliver and Support using personnel who understand physical and logical risks so that internal actions do not create unknown vulnerabilities – Monitor and Evaluate the performance of the system against system performance criteria commensurate to the sensitivity of assets involved  Remember that process is there to serve a purpose, not to be the purpose 2008 Midwest Information Security Forum 10
  12. 12. Lesson #5: Understand that Knowledge is Power  Awareness in Management of key issues – What is real and what is visionary  Cross training of experts to minimize conflicts of ideologies and maximize understanding – Definition bases – Core concepts and models – Due diligence  Impose continuous learning and professional development – Do not allow complacency – When you’re green you’re ripe, when you’re ripe you’re rotten  You need to understand that administration, management and leadership are complimentary but not the same thing 2008 Midwest Information Security Forum 11
  13. 13. Contact InformationBob Radvanovsky, CIFI, CISM, CIPS rsradvan@infracritical.com Allan McDougall, PCIP, CMASamcdougall@evolutionarysecurity.ca 2008 Midwest Information Security Forum 12