Transcript of "Understanding the security_organization"
CIS 264 Week 1Highline Community College Dan Morrill
Roles within the company Risks that are part of the regulatory landscape (SOX, HIPAA, FERPA, PCI-DSS, etc.) Risks that are part of the business decisions Risks that are part of the technology decisions Risks that are part of the security decisions HIPAA requires a firewall, the business decides to purchase CISCO because of an existing contract, Technology purchases a Cisco 7600 with a firewall module, security configures it to work on the network by opening ports and allowing access to services
Decisions for technological solutions will be made by people who do not understand the technology Decisions for purchasing will be made by existing contracts and discounts with IT providers Decisions might be locked in for years (Cisco, Microsoft, Linux) because of those contracts And it is hard to swap out technologies, it is nearly impossible for a Windows shop to go to Linux in its entirety because of “lock in” with vendors You see this now with cloud computing, and the attempt to avoid vendor lock in with any provider
Point solutions are still popular in organizations Technology and security need to understand what needs to be protected in the organization Technology and security need to understand the critical assets for business continuity (the systems the company needs to run to continue to do business) Every manager and executive thinks that their systems are business critical and will make decisions about IT, Business Continuity, and Disaster recovery based on that perception Businesses are highly political Don’t tell the VP you can’t do it, or won’t do it – they will find a way to make it happen regardless of what IT says
Technology and security need to identify every IT solution in the company and how the interconnect to each other to deliver services This includes new, old, vintage, and forgotten systems and programs Some programs and systems will be orphaned in the organization with no clear manager or maintainer Some users do not want their systems upgraded or changed and will help kill new systems or changes Some managers do not want to lose what political power they have – and will help kill new systems or changes
Technology provides solutions to business problems, business problems are based on the perceived power of the people making those decisions What are the systems we need to protect Who uses them and how What are the risks we are trying to reduce What is the highest priority risks (this is heavily influenced by power both actual and perceived within an organization) Are you reducing risks in the most cost effective way? Heavily dependent upon politics and power within the organization
Risk = (threats x vulnerabilities) + (likelihood x impact) + (politics + positional power in the organization) Risk is the probability of loss This means uncertainty and messy answers This means that the “risk” is open to political and positional influence up and down the organization Risk is the possibility of a threat How likely is something to happen, how clever are the hackers, how clever is IT and security? Risk is qualified (measured) by how likely something is to happen to the systems This is prone to second guessing, and lack of imagination
A vulnerability is the weakness that makes the resource susceptible to the threat. A threat is anything capable of acting against a resource in a manner that can result in harm (intentionally or accidentally). The likelihood is a measure of how probable it is that the threat/vulnerability pair will be realized. The severity is a measure of the magnitude of the consequences that result from the threat/vulnerability pair being realized for that resource.
Likelihood: Critical (5) – Exposure is apparent through casual use or with publicly available information, and the weakness is accessible publicly on the Internet High (4) – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. Moderate (3) – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. Low (2) – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised Extremely Low (1) – The threat-source is part of a small and trusted group, controls prevent exploitation without physical access to the target, significant inside knowledge is necessary, or purely theoretical
Severity: Critical (4) – May allow full access to or control of the application, system, or communication including all data and functionality High (3) - May allow limited access to or control of the application, system, or communication including only certain data and functionality Moderate (2) – May indirectly contribute to unauthorized activity or just have no known attack vector. Impact may vary as other vulnerabilities or attack vectors are identified. Low (1) – May indirectly contribute to unauthorized activity or just have no known attack vector. Impact may vary as other vulnerabilities or attack vectors are identified.
Risk Exposure: 1 – 4 Low - May have some minor effect on the system, but likely little impact to the organization overall. Recovering from such an impact will require minimal expenditures and resources. A single issue, by itself, may not place the integrity, availability, or confidentiality of a system at risk. Multiple issues in this category could be combined, however, in an exploit attempt. 5–7 Moderate - May result in some tangible impact to the organization. The impact could be narrow in focus and perhaps only noted by a few individuals or parts of the organization. May cause organizational embarrassment. Recovering from such an impact will require some expenditure and resources. 8 – 11 High - May cause an extensive system outage, and/or loss of customer or business confidence. May also result in compromise of a large amount of the organization’s information or services, including sensitive information. Recovering from such an impact will require a substantial amount of expenditure, resources, and time. These vulnerabilities should be taken seriously and addressed quickly. 12+ Critical - This level of risk exposure is unacceptable for any aspect of the environment. It introduces a level of exposure that cannot be maintained over time. The remaining categories may be acceptable depending on the risk tolerance range.
Applied Risk Exposure: 1–8 Low - Acceptable without review by management 9 – 25 Moderate - Management must determine whether corrective actions are required or decide to accept the risk 26 – 39 High - Undesirable and requires corrective action. A plan must be developed to incorporate these actions within a reasonable period of time based on the discretion of management. 40+ Critical - Undesirable and requires immediate corrective action
There are two primary approaches to information security at this time Proactive Reactive Proactive – identify risks and vulnerabilities to systems before hackers do, and take appropriate actions to secure them and minimize risk Reactive – wait to get hacked, then take appropriate measures and actions to secure them and minimize risk
Reactive information security has generally fallen out of favor Most companies do a combination of reactive and proactive security Patch updates Internal security testing If hacked – find the way they got in and fix it Reactive information security has a hard time scaling to the organization because of the complexity of systems being used and the number of ways that networks are accessed BYOD complicates the matter of reactive because it is very hard to define where the network boarder is
Proactive information security is limited by: The imagination of people doing security risk management The skills of the employees who conduct information security surveys of the network The support of management to fix problems (that might be critical but costly) in a reasonable period of time “Security as a Cost Center” the perception of no real benefit to the company because nothing bad ever happens Proactive information security is written into some regulations by specifying that companies will accomplish tasks like third party network evaluations, firewalls, and other security systems as part of the companies operations
One of the largest problems in information security is that there are a large number of “unknowns” It is unknown to most companies, law enforcements, and governments just how many vulnerabilities there are out there There is a broad and complex market for “Zero Day” vulnerabilities that are used by companies, criminals, law enforcement and governments without notifying the developer of those flaws Most companies cannot and do not belong in the business of “zero day” research
Hacks get more complex Hackers duration on the networks increases AV might not catch it all Firewalls and SEIM systems might not see it all Coders will never write unhackable code Systems are exposed everywhere there is a connection Open markets for vulnerabilities Slow OEM response at times to vulnerabilities
You have to manage your networks, systems, access points, user front ends, and everything else with what you know People in technology and/or information security that do not constantly learn new stuff become obsolete within a year You have to work with an often dysfunctional organization to learn to play politics to secure systems adequately You have to trust OEM’s to deliver a patch in time You have to trust your systems based on what they are seeing And you have to get creative with your skills to keep your networks safe