SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

  • 225 views
Uploaded on

SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

SecureIT 2014 - Data Security Protecting Businesses and National Assets - Sastry Tumuluri, Information Technology Advisor...

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
225
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. InfoSec Challenges in eGov one-sided stories SecureIT 2014 New Delhi 2014-03-14
  • 2. 2 who really is responsible for security? » yes, it is a trick / multi-layered question, but... » in eGov land today, we begin with a CERT / CSIRT and a Crisis Management Plan » clearly a wrong idea to start with
  • 3. 3 who really, is the project manager? » project management = contract administration! » so it is not a problem unless a vendor or an auditor says it is » security requirements originate from “policies”
  • 4. 4 who rules the policy land? » consultants and OEMs do! » disconnected (= not related to project realities), ultra high-level and ultra low-level too! » imagine your home security designed this way!
  • 5. 5 broad contours #1 » applications should be hosted in State Data Centers <Esc> cite operational/technical/management issues </Esc> <Esc> craft the contract to be SaaS! </Esc> <Esc> use project budget to make your own data center! </Esc>
  • 6. 6 broad contours #2 » applications must be security audited before going live <Esc> don't host them in State / NIC Data Centers </Esc> <Esc> hire a tool-monkey as security auditor </Esc> <Esc> audit the audit report informally! </Esc> » use this as an excuse to get the project scrapped!
  • 7. 7 broad contours #3 » emphasis on great products at the Data Center <Esc> no problem! they are not meant for your app! </Esc> <Esc> no problem! no one is looking at them! </Esc> <Esc> dont' use them; use project funds to get your own! </Esc> » got unlucky? get your Secretary talk to the IT Secretary!
  • 8. 8 broad contours #4 » no need for a SOC, SIEM or any form of monitoring » IT / Infrastructure pros with part-time security duties (network security firewalls good enough!)→ → » Good part: NIC teams do have security-focused individuals Bad part: AppSec is largely “delegated” to “auditors”!
  • 9. 9 broad contours #5 » expertise and needs are not co-located experts live in ivory towers, unconcerned by project objectives » policies and needs are not co-located so policies evolve independently of project needs » middle-level technical leadership is largely missing so decision making is unconstrained by facts and logic
  • 10. 10 the scary reality! part 1 » incredible lack of awareness not only among users, but also IT professionals! » ultra-low standards to being an InfoSec professional hackers have moved from being script-kiddies; we haven't! » the average tech talk starts with news and FUD ends before barely scratching any actionable
  • 11. 11 the scary reality! part 2 » infosec frameworks are still mostly vuln/threat-specific IDS/IPS rule-sets, vuln-dbs, exploit-dbs, » sky-high cost of products and services depresses demand!→ » the blind lead the deaf and dumb!
  • 12. 12 how do we cope? #1 » move away from the audit once / once-a-year mindset » Continuous Vulnerability Management (suits our agile methods) » Establish a SOC – make it available to all projects » Mid-level leaders must be super-competent! (in Infra, Development, Platforms, … and InfoSec)
  • 13. 13 how do we cope? #2 » pool expensive resources and use them efficiently » increase the use of open source tools » new programs around fresh graduates and internships time for a few interesting stories? project proposals with job applications! » strategic partnerships and sustainable capacity building
  • 14. 14 how do we cope? #3 » An 8-part Framework centered on Assets & Risk Management » Continuous: Vulnerability Management, Security Monitoring, Awareness & Education, Platform Assurance » Periodic: Penetration Testing (include Social Engineering ++ !) » As-Required / As-Available: Threat Intel, DFIR, Malware Intel/Research
  • 15. 15 Assets Risk M anage ment Continuous Vulnerability Management Continuous Security Monitoring PlatformAssurance Education&Awareness DFIR Pen Testing Malware Research Threat Intel
  • 16. 16 thank you sas3@haryanaismo.gov.in sastrytumuluri.blogspot.com @sastrytumuluri