• Save
SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...
Upcoming SlideShare
Loading in...5
×
 

SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

on

  • 350 views

SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

Statistics

Views

Total Views
350
Views on SlideShare
294
Embed Views
56

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 56

http://secureit.eletsonline.com 55
http://translate.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor... SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor... Presentation Transcript

    • InfoSec Challenges in eGov one-sided stories SecureIT 2014 New Delhi 2014-03-14
    • 2 who really is responsible for security? » yes, it is a trick / multi-layered question, but... » in eGov land today, we begin with a CERT / CSIRT and a Crisis Management Plan » clearly a wrong idea to start with
    • 3 who really, is the project manager? » project management = contract administration! » so it is not a problem unless a vendor or an auditor says it is » security requirements originate from “policies”
    • 4 who rules the policy land? » consultants and OEMs do! » disconnected (= not related to project realities), ultra high-level and ultra low-level too! » imagine your home security designed this way!
    • 5 broad contours #1 » applications should be hosted in State Data Centers <Esc> cite operational/technical/management issues </Esc> <Esc> craft the contract to be SaaS! </Esc> <Esc> use project budget to make your own data center! </Esc>
    • 6 broad contours #2 » applications must be security audited before going live <Esc> don't host them in State / NIC Data Centers </Esc> <Esc> hire a tool-monkey as security auditor </Esc> <Esc> audit the audit report informally! </Esc> » use this as an excuse to get the project scrapped!
    • 7 broad contours #3 » emphasis on great products at the Data Center <Esc> no problem! they are not meant for your app! </Esc> <Esc> no problem! no one is looking at them! </Esc> <Esc> dont' use them; use project funds to get your own! </Esc> » got unlucky? get your Secretary talk to the IT Secretary!
    • 8 broad contours #4 » no need for a SOC, SIEM or any form of monitoring » IT / Infrastructure pros with part-time security duties (network security firewalls good enough!)→ → » Good part: NIC teams do have security-focused individuals Bad part: AppSec is largely “delegated” to “auditors”!
    • 9 broad contours #5 » expertise and needs are not co-located experts live in ivory towers, unconcerned by project objectives » policies and needs are not co-located so policies evolve independently of project needs » middle-level technical leadership is largely missing so decision making is unconstrained by facts and logic
    • 10 the scary reality! part 1 » incredible lack of awareness not only among users, but also IT professionals! » ultra-low standards to being an InfoSec professional hackers have moved from being script-kiddies; we haven't! » the average tech talk starts with news and FUD ends before barely scratching any actionable
    • 11 the scary reality! part 2 » infosec frameworks are still mostly vuln/threat-specific IDS/IPS rule-sets, vuln-dbs, exploit-dbs, » sky-high cost of products and services depresses demand!→ » the blind lead the deaf and dumb!
    • 12 how do we cope? #1 » move away from the audit once / once-a-year mindset » Continuous Vulnerability Management (suits our agile methods) » Establish a SOC – make it available to all projects » Mid-level leaders must be super-competent! (in Infra, Development, Platforms, … and InfoSec)
    • 13 how do we cope? #2 » pool expensive resources and use them efficiently » increase the use of open source tools » new programs around fresh graduates and internships time for a few interesting stories? project proposals with job applications! » strategic partnerships and sustainable capacity building
    • 14 how do we cope? #3 » An 8-part Framework centered on Assets & Risk Management » Continuous: Vulnerability Management, Security Monitoring, Awareness & Education, Platform Assurance » Periodic: Penetration Testing (include Social Engineering ++ !) » As-Required / As-Available: Threat Intel, DFIR, Malware Intel/Research
    • 15 Assets Risk M anage ment Continuous Vulnerability Management Continuous Security Monitoring PlatformAssurance Education&Awareness DFIR Pen Testing Malware Research Threat Intel
    • 16 thank you sas3@haryanaismo.gov.in sastrytumuluri.blogspot.com @sastrytumuluri