Your SlideShare is downloading. ×
0
DISCLAIMER: Opinions or points of view expressed are those of the author and do not reflect the position of any other orga...
WELCOME TO SECURE360 2013 Don‟t forget to pick up your Certificate ofAttendance at the end of each day. Please complete ...
AGENDA• Overview• Background• Ground Rules• Nuances• Security Program• Risk• Standards & Frameworks• Cyber Security• Fast ...
4
BACKGROUNDAbout this presentation:• Ah-Ha. Where do I start, go next?• Struggle. How much is enough or is that too much?• ...
BASIC GROUND RULE 1 OF 3Security is an ∞ journey, ≠ destination.6
BASIC GROUND RULE 2 OF 3Even the most secure systems will be compromised.7
BASIC GROUND RULE 3 OF 3$ecurity <> Security“Its possible to spend a fortune on security, but ifits done poorly, it doesnt...
9
NUANCES OF A SECURITY PROGRAMTechnology Security• Computer & Network Security• Firewalls• DDoS, Viruses, Worms,Crimeware• ...
NUANCES OF RISKKnown Consequences• Loss of data• System Outage• Traffic light DDoS• Airport Runways (Chicago)• Loss of Rep...
NUANCES OF STANDARDS & FRAMEWORKS12“Organizations have made compliance in generalthe basis of their information security p...
NUANCES OF CYBER SECURITYTraditionally Cyber Security focuses on (NIST 1995):• Confidentiality: A requirement that private...
INTEGRITYBloomberg: “the hoax erased $136 billion inequity market value in 3 minutes.”NUANCES OF CYBER SECURITY, CONT.CONF...
NUANCES OF CYBER SECURITY, CONT.Confidentiality: All electronic information and physical access islimited to individuals w...
NUANCES OF CYBER SECURITY, CONT.Confidentiality: Out of the box softwaremust allow for all electronic andphysical componen...
17
FAST BREAK - DEMODEMO:• Integrity: OS integrity will be changed - system event log will have shutdown event inserted.• Con...
19
THE SECURITY JOURNEY. FOOTBALLSecurity in the game of football is easy…ifonly everything were…20
1908 Ford Model T• Laminated glass (1930)http://commons.wikimedia.org/wiki/File:1926_Ford1926 Ford Model T• Turn signals (...
THE SECURITY JOURNEY. ‘WHAT’S NEXT?’Extremely sensitive andimportant data. *Novisitors allowed.http://www.swissfortknox.co...
THE SECURITY JOURNEY. YOUR COMPANYInformation, cell phone, door,window, document, object, computer,person, place, thing, f...
24
SIMPLE SECURITY MODEL1. What are you securing? Must always start here.2. Define the World.3. Define the Threats.4. Define ...
SIMPLE SECURITY MODEL - ANIMAL EXERCISE26Cheetah, Elephant, Gazelle, Giraffe, Gnu (wildebeest), Gorilla, Hippopotamus, Lio...
27Work by yourself, 1:1, groups, please take 3minutes to talk and work out this exercise…SIMPLE SECURITY MODEL - ANIMAL EX...
28By using security lessons from nature we realize that animals are only secureenough for the world they live in…and somet...
BUT ANIMALS ARE NOT COMPUTERS…Idea, object, door, window, document,computer, laptop, tablet, person, place,thing, formula,...
30
WRAP UP311. What are you securing? Must always start here.2. Define the World.3. Define the Threats.4. Define the Loss.5. ...
EXTRA LESSON TIME - ANIMALS (INSECTS)DDoS (DNS Re-routing lesson from ants):“When an established path to a food source is ...
SLIDE REFERENCES343:http://farm4.static.flickr.com/3103/2853985315_b8805e2eb6.jpghttp://www.secmeme.com/2011/03/too-much-s...
SteenFjalstad Secure360 - KISS (How much security is enough?)
Upcoming SlideShare
Loading in...5
×

SteenFjalstad Secure360 - KISS (How much security is enough?)

353

Published on

Originally presented at Secure360 - 2013

KISS (How much security is enough?)

Wednesday May 15, 2013 — 2:35 PM

This presentation will cover the many nuances of a security program and the most important question for today’s savvy businesses. How much security is enough? Too many times companies and people spend more than they need on policies, technologies, people and it may have been too much. This topic will explore the KISS approach to getting the biggest bang for your buck. (e.g. Confidentiality, Integrity, Availability). Core theme – ideas and suggestions on how to ‘right-size’ any security program. Why buy a tank when a 4×4 truck will do? The most important question to ask with any program is ‘What are we securing?” If the security program can not tie back to this, then the program must change and/or the analysis/risk assessment must change to better align the security program with the threats, vulnerabilities, risks of the organization.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
353
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • INTRONot a know it all – know this is hard –We keep spending…keep having more breaches….Change the conversation &amp; focus on solutions
  • Welcome. Famous person once said - “you can’t pound in a nail with a sledge hammer – you need a variety of tools” on your tool belt. This is one of those tools.AGENDA (read and go through):NOTE - We will look to the animal kingdom and history to help with some of the discussion…Get your animal – have over 140…hopefully enough…Ask questions at any time…Raise your hand – we’ll talk and if we don’t have answer in &lt;30 seconds…Parking Lot for future discussion (lesson from my wonderful consulting days of course)Picture from Luis Viton – Hollywood, CA 2008.Bikes from MiamiCan from ?
  • WANT TO SET UP THE PRESENTATION – MAKE SURE TO SET THE STAGE
  • When you look in the dictionary, you will NOT get much help. So again, thank you to the Securer360 community for allowing me to share….Ah-Ha: I would ask – where do I start or go next. Slides represent some Ah-Ha for me Give me focusStruggle.Some (Regulators &amp; Politicians) may be unclear on how much (or not enough) on security.Knowledge: Sometimes need to step up a level…. Other Secure360 presentations, Business literature, consultants, news stories, research, academia, security conferences, etc. hacks are good….but this is a framework to look down from 50k ft. level.Tool. This will hopefully help you think differently, learn something, build out security tool belt. Source:From Personal experiences, Historical and fact based. Lets Go.This is to continue to dialog beyond problems….and offer solutions to keeping security simple and actually getting us more secure as a nation and industry.Ask questions anytime
  • Point 1 –Most people get this that have been in the sec. industry, but some folks in power and some newcomers can use a quick refresher. Not sure of the audience level here I wanted to be fair and make sure everyone is on the same page – again oldie but a goodie….Security is an infinite journey, not a destination…where does the journey end? Security is only hard because sometimes we view security as a destination…….not a journey….something we plan for , scope, set up calendars for, and then end. What&apos;s next? Things change….we need to adapt. E.g. – is a regulation, standard, policy, procedure, technology, person, certification, security? OPEN QUESTION…MAYBE…It DEPENTS.
  • Point 2: Yes, breaches will occur. DINASORS: Looking to the animal kingdom (which there will be an exercise on this later) we realize that in nature nothing is 100% secure. After 3B years of nature adapting to environments we still have animal extinction…it happens, get over it. MAGINOT LINE: What made you secure yesterday, will not make you secure today (e.g. WWI thinking brought the Maginot line and war general thought is was the most genius thing – (AC, Trains, delaying Germans…cost too much and French army weakened…and Germany invaded Belgium)…..Weakest link will be the one that IS exploited by a skilled adversary. What makes you secure today, will not make you secure tomorrow. No amount of $ or to do the best you can… Brings to mind – we are only as strong as our weakest link – here you see Germany invaded through Belgium and took over France in only 6 weeks….not a historian, but interesting thing is that when US was marching back to the east – they avoided the Maginoit line altogether…and went through Belgium….Fort Knox of uranium – built after 9/11 (not to be confused w/ actual ft. Knox):(Reuters) - In July 2012, three aging anti-nuclear activists, including an 82-year-old nun, cut through fences surrounding the &quot;Fort Knox&quot; of uranium storage, and U.S. lawmakers want to know how that was possible.The facility is a major storage center for highly enriched uranium, a key component of nuclear bombs. The security breach at what was supposed to be one of the most secure facilities in the United States has raised new questions about a plan to overhaul oversight of nuclear laboratories and weapons plants.An internal Energy Department watchdog found guards ignored motion sensors because they are routinely triggered by wildlife, and a security camera that should have shown the break-in had been broken for about six months.NASA:http://science.house.gov/sites/republicans.science.house.gov/files/documents/hearings/HHRG-112-SY21-WState-PMartin-20120229.pdfNASA testimony from Feb 29, 2012 - Testimony before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology
  • Point 3: Throwing money at security will not necessarily make you more secure. Many examples of waste…..since 2006 security spend has been increasing, and since 2006 (estimated) that there has been $337Billion spent on Corporate IT Security Spending…..datalosdb.org….7,380 data loss incidents since 2004. So yes, while they may not have been ‘secure’...compromise happens…loss happens – not naming companies due to not detract from the focus, but, the breach data is out there…and the ref is there if you want to go find it out.----------------There is no such thing as accomplishing security…..so lets get the Gartner numbers and other general numbers out of the way as well.A 2010 survey of 1,500 or so companies worldwide found businesses spend an average of 5% of their total IT budget on security, according to Gartner&apos;s IT Key Metrics Data for 2010. Gartner also broke it down to security spending per employee, which averaged around $525 annually in 2009, compared to $636 in 2008 and $510 in 2007.Of the total IT security budget, 37% is spent on personnel, 25% on software, 20% on hardware, 10% on outsourcing and 9% on consulting.http://www.computerworld.com/s/article/9187239/How_much_should_you_spend_on_IT_security_
  • Lots of nuances in Security.Physical, Cyber, InternationalGovernment, Industry, Regulatory, Compliance, Want to cover off on four ways to look at the nuances of SecurityFOCUS – on Cyber Security
  • A simple and handy go-to guide…Moving to the traditional role of CSO/CISOThis is one CSO/CISO model to help think about security – courtesy of University of Washington.Technology = old way of thinking about Security. Tech by itself is NOT the solution to the problemBusiness = privacy, industrial espionage, regulationsCritical Security = Nation states, China, Building Trust w/ outsidersLayered solutions are neededPeople are 1st line of defense and the strongestWho is responsible for this in at your company? Who are the targets? Who are your adversaries? Have you been breached? How will you know? What about your employees?Information Security – Dumpster diving (info unshreded)Computer Security – stolen/lost laptop (Hard drives are not encrypted)What do we tell customers if we lose a laptop? Do we need to tell them? What about Regulations? What about the shareholders?Critical security examples – two key areas we will focus on today*=discussion on
  • Some categorization can be redone, but this is basis for risk – as used by DHS.This is important….tend to get way down in the weeds way to fast….bring it up a level. “story about when I was first starting out as an auditor….got lost in the weeds of the work papers, and then ask yourself….what are you testing?” Testing admin access…change mgmtm….no worry about admins making changes when you are testing to see that the changes followed a process.************When someone says its too risky – looking at the many nuances of risk will help drive the discussion to help better quantify it…******The resiliency and adaptability mitigate the unknowns…without it your program is incomplete…
  • Standards and frameworks are important, but you must make sure you know what they are used for and what they are not used for. Standards SHOULD be considered the floor and not the ceiling. Some organization may be start out a security dept. by basing their security on being complaint….it will work for the first few years to get it off the ground, but then what…?Goes without saying that compliance is excellent and good, but sometimes just being complaint is not enough anymore. Reason – the standards can’t always keep up with the risk (previous slide) – that’s where security comes in….As you noted on slide 10 – security compliance is part (part) of a security program. Only part.ASK AUDIENCE – DO YOU AGREE - DISAGREE?
  • NIST circa 1995: Traditionally, cyber security focusses on the protection required to ensure the confidentiality, integrity, and availability of the electronic information and communication systems. http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol1.pdfSecurity is using people, processes, technologies to reduce risk to an acceptable level.The 1995 definition of the tenets of computer cyber security demonstrates that what was found to be true in 1995 also holds true in 2012. The CIA triad has held up to the test of time and should be the cornerstone of the cyber security. As defined by NIST in 1995.
  • We NEED this complexity to solve our problems and this frames up the basis for the rest of the discussion. Now I would like to provide one way to get laser like focus on the security problem to help begin getting ourselves on the other end of the security curve…..-to refresh….security is a journey, not a destination—BREACHES WILL OCCUR - no such thing as 100% secure,-- Money and Security do not have a direct relationship.More breach examples to help demonstrate that parts of the CIA triad broke down for these organizations…
  • Covered CIA previously, but really want to leave you with this idea. What if after building out the ‘what you are securing model’ you boiled all of your controls down into only three? I propose that these three simple controls will offer you an appropriate level of security.
  • Three CIA based controls for vendors……Removal of Unnecessary Services and Programs ............Host Intrusion Detection SystemsChanges to File System and Operating System Permissions...Hardware Configuration........
  • Nubie practicing cyber security ninja with tools like ‘armitage with metasploit’.1st time pwning a system - attempts are made to shut it down (ooops – now what – the system is down – nubie!) – change pwds is 2nd.So….how do you do that w/ no mouse access – from the cmd prompt. don’t even need admin access…. Ways:-command prompt,-run a .bat file-start -&gt; run-windows key + r; -then type this commandshutdown -s -t 9000shutdown -aAvailabilityThe shutdown.exe command is an external command available in the below Microsoft Windows operating systems.Windows XPWindows VistaWindows 7Windows 8Gotta have the technical/cyber demo
  • Now lets do a little deeper of a dive down into the ‘Security’ journeyWill be using some comparison models &amp; walk through a unique one to help keep it simple…..In football…What are we securing?Yes, It’s the end zone – and its NEVER 100% secure (unless you’re the Packers…) – just kidding….had to do it….only defended…..but the all parties involved from fans, players, coaches, refs all understand what is being secured…
  • With cars it gets a little more difficult.When they first came out – no no shatterproof glass, brake lights, no horns, no seatblets, no airbags, no Early Warning Colision systems and adaptive cruise control and blind spot warning indicator, etc. Cars did not come out of the gate with early collision warning brake support. -Laminated Glass was not introduced until 1930 (invented in 1903 by accident). -Turn Signals came about in 1930-Early Collision Warning Systems – 2000sLittle harder when securing a car…
  • The security journey for sensitive data has a very fun and exciting achievement.In the Swiss Alps there is a location called ‘Swiss Fort Knox’. It is resistant against any known civil, terroristic and military threat, and Atomic, Biological, Chemical (AMC) , Electromagnetic Pulse, etc.)Interestingly….as I said in ground rule #2 even the most secure systems will be compromised….If someone was planning to take this down there is a video all about this ‘Swiss Fort Knox’ on YouTube from a Swiss news channel and you can see most of the security measures for visitors online – very interesting…what are they securing?http://www.youtube.com/watch?v=E5dxy1M3bkQ 
  • General question for the audience - What has the security journey for your industry or company been like? Anyone?
  • Lets Keep It Simple….. Now that we walked through the ground rules, nuances, CIA TRIAD, Sec. journey, Now I want to show you a simple way to get to the bottom line on how much security is enough….Many times we jump right into the weeds and stay there….need to come out and get up to high level and discuss top down approach…This model will offer you a way to help rationalize all the great intelligence, knowledge, vendors, solutions, threats, vulnerabilities, technologies, etc….It’s easy to say a tool will solve your problems…but if you don’t know what you’re securing and why you’re buying the tool you will not be successful.
  • Story about first becoming an IT Auditor – got into weeds of change management testing…chasing down tickets and emails and etc. Came up to my mentor at the time and said – I’m lost – need help…..he would always say “what are you testing/auditing?” Then, I go back to the control and look and it was much easier to complete the testing. Here is the same principal – For example, daily I get emails on breaches, and cyber attacks. Threats and losses from other worlds (e.g. DDoS from the financial sector – excellent and I love it and I have to stay up to speed on those things’….BUT….its not my world, I probably don’t see those threats….and the loss will be different. Maybe measures are same, but who knows. So….by focussing on what I’m Securing…(The U.S. Power Grid – I can go back and put the intelligence into place.)This model has really helped me to focus on the proper mitigations and $-money-$ that needs to be spent for my world….still can be waste, but for the most part….when I look at the DDoS eliminator tool, or the figure out what my thrEMS/SCADA ///WALK THROUGH THE MODEL1. What is the item you are securing? Must always start here.ALWAYS start with what you are securing. We talked all about the standards and frameworks – 1000’s of controls if you were to dissect those…some compliance, some regulatory, some voluntary, etc. MOST try to start w/ the most critical objects and then work to secure them with – so were at least starting in a similar spot…This simple security model is more open, and focusses on just ‘enough’ security that is just for the object being secured…Define the World. Draw a box and define the world – industry, country, internet connectivity, electronic communication schemes, etc…Define the Threats. What will compromise the item in the world. Define the Loss. What bad stuff can happen (include extremes)?Define the Spend or Mitigation (security measures). What HAS the &lt;&lt;OBJECT&gt;&gt; developed to deal with these threats and losses?Define what will not be Spent or Mitigated. THIS is also known as CYA…not sure how many people actually go the extra step to do this, but I think it is a good step and can lend itself right into follow-up model reviews.
  • I love animals and nature – Eagle boy scout. One merit badge I had to watch a small 3ft x 3ft section of the forest, write notes on how things responded to their environment. Still remember it. Ants…..are amazing creatures. When Ants are bothered – they communicate w/ each other rapidly with pheromones to get the message out….well…we do the same thing in cyber sec when under attack…but much worse…Anyone experienced what it like to be under cyber attack? Highly recommend it. Read slide….Using your animal (think of one if need be). Your animal is what you are securing.Define the World. What is the world the animal lives in?Define the Threats. What will compromise the animal?Define the Loss. What bad stuff can happen (include extremes)?Define the security measures (Spend or Mitigation). What has the animal developed to deal with these threats and losses?Define what will not be secured (Spent Mitigated). Work by yourself, 1:1, groups, please take 3 minutes to talk and work out this exercise…
  • Read slide….Using your animal (think of one if need be). Your animal is what you are securing.Define the World. What is the world the animal lives in?Define the Threats. What will compromise the animal?Define the Loss. What bad stuff can happen (include extremes)?Define the security measures (Spend or Mitigation). What has the animal developed to deal with these threats and losses?Define what will not be secured (Spent Mitigated). Work by yourself, 1:1, groups, please take 3 minutes to talk and work out this exercise…
  • The world the animal lives in dictates its ‘security’ featuresAnimals only have the defensive/offensive equipment they need for their environmentsClaws, Horns, Wings, Fangs, Etc.Anyone have any comments – thoughts?
  • Most times – thissimple model works, and then you revisit it with more knowledge, gets better…
  • //Security Journey: Some thoughts on the security journey: Only by focusing on what you are securing will you become more secure. Focusing first on the threats, vulnerabilities, consequences, etc. you will go off path. //NUANCES:-Shown how the CIA triad breaking down can capture most breaches and what&apos;s in the news today…all cyber security measures must tie back to protecting one of the three….//SIMPLE SECURITY MODEL:What are you securing?Only by focusing on what you are securing will you become more secure. Focusing first on the world and KNOW YOUR NETWORK, SYSTEM, ETC.THEN…..threats, The loss, and then the security measures…..don’t buy the tool now, and then figure it out later or you will absolutely go off path…Always bring it back to what is being secured and your program will right size in no time. 1. What are you securing?2. Define the World.3. Define the Threats.4. Define the Loss.5. Define the Spend or Mitigation.6. Define what will not be Spent or Mitigated.//Look to nature – By using security lessons from nature we realize that animals are only secure enough for the world they live in…extremely valuable lessons yet to be learned I will pursue more of in the future…How much security is enough -
  • Thank you &amp; questionsWishing you well on your security journeyPlease don’t hesitate to reach out in the future.
  • Transcript of "SteenFjalstad Secure360 - KISS (How much security is enough?)"

    1. 1. DISCLAIMER: Opinions or points of view expressed are those of the author and do not reflect the position of any other organization.
    2. 2. WELCOME TO SECURE360 2013 Don‟t forget to pick up your Certificate ofAttendance at the end of each day. Please complete the Session Survey frontand back, and leave it on your seat. Are you tweeting? #Sec360 @steenfjalstad2
    3. 3. AGENDA• Overview• Background• Ground Rules• Nuances• Security Program• Risk• Standards & Frameworks• Cyber Security• Fast Break Demo• The Security Journey• Simple Security Model (exercise)• Wrap-up3KISS (HOW MUCH SECURITY IS ENOUGH?)
    4. 4. 4
    5. 5. BACKGROUNDAbout this presentation:• Ah-Ha. Where do I start, go next?• Struggle. How much is enough or is that too much?• Knowledge. Many available sources.• Tool. Something to add to your security tool belt.• Source. Time for me to share. Historical and fact based.• Lets go. Continue the dialog…Security: freedom from danger, risk, etc.; safety.Cyber Security: measures taken to protect a computeror computer system (as on the Internet) againstunauthorized access or attack.Source: merriam-webster.com5
    6. 6. BASIC GROUND RULE 1 OF 3Security is an ∞ journey, ≠ destination.6
    7. 7. BASIC GROUND RULE 2 OF 3Even the most secure systems will be compromised.7
    8. 8. BASIC GROUND RULE 3 OF 3$ecurity <> Security“Its possible to spend a fortune on security, but ifits done poorly, it doesnt help a business,” -Gartner Consulting (2010) 8Est. $337 Billion on IT Security 2006-11Est. 5,114 data loss incidents 2006-11IT Budget as a percentage of overall revenue* or operating expense**(2011 Garner Report):• 3.5% Commercial organizations*• 6.0% Technology-intensive*• 4.5% Media, entertainment , professional services*• 8.5% Government**• 4.8% Education**• NA not-for-profitIT Security Spending as a percentage of IT Budget (2010 Gartner Survey):• 5% total IT budget spent on SecuritySurvey deep dive:• 37% is spent on personnel• 25% on software• 20% on hardware• 10% on outsourcing• 9% on consulting$525/yr per employee 2009
    9. 9. 9
    10. 10. NUANCES OF A SECURITY PROGRAMTechnology Security• Computer & Network Security• Firewalls• DDoS, Viruses, Worms,Crimeware• System Hardening• Encryption• Engineering• Intrusion Prev./IntrusionDetection• Incident Response• Access Controls/Change Mgmt.• Security Information & EventManagement (SIEM)Information Security• Risk Management• Business Continuity & DisasterPlanning• Awareness Training• Intellectual Property• Business/Financial Integrity• Regulatory Compliance &Auditing• Industrial Espionage• Privacy• Forensics & Investigations• Data Loss PreventionStrategic Security• Terrorism & Cyber Crime• Regional Interests (IncludingCyber and Natural Disaster)• Nation State Interests• Intelligence Analysis• Professional & TrustedAlliances• Politics• Strategies and Tactics• Red Teaming & simulatedattacks*Modified from Source: University of WashingtonTechnical Problems Business Problems Critical Security ProblemsPeople, Process, TechnologyContinued ResearchCSO/CISO = Chief of What?10
    11. 11. NUANCES OF RISKKnown Consequences• Loss of data• System Outage• Traffic light DDoS• Airport Runways (Chicago)• Loss of ReputationKnown Vulnerabilities• Patch Management• Weak Code & WeakConfiguration• FUZZING• Information leakage• Poor Passwords (default)• PADDING• User Credentials (default)• Insiders• Spearphishing• EMAIL ALIASKnown Threats• OpUSA (May 7-9)..maybe• APT1 (Mandiant)• BRIC• Insiders• Cyber Jihadists• You….yes, you!• Various Breach Reports(Verizon, Symantec, etc.)11Known Risk & Unknown RiskRisk Management must include adaptability &resiliency (1st nod to the animal kingdom).Unknown Threats• BLACK SWANS• Cyber Pearl HarborUnknown Vulnerabilities• 0 Day• Achilles heelUnknown Consequences• Atomic, biological, chemical• Drone Compromise
    12. 12. NUANCES OF STANDARDS & FRAMEWORKS12“Organizations have made compliance in generalthe basis of their information security policies.As a community, we have not evolved at all. “-Joshua Corman, 2009
    13. 13. NUANCES OF CYBER SECURITYTraditionally Cyber Security focuses on (NIST 1995):• Confidentiality: A requirement that private or confidential information notbe disclosed to unauthorized individuals.• Integrity: Data integrity is a requirement that information and programs arechanged only in a specified and authorized manner. System integrity is arequirement that a system performs its intended function in an unimpairedmanner, free from deliberate or inadvertent unauthorized manipulation ofthe system.• Availability: A requirement intended to ensure that systems work promptlyand service is not denied to authorized users.Cyber Security is using people, processes, & technologies… increase electronic information & communicationsystem confidentiality, integrity, and availability …@ an acceptable level…13
    14. 14. INTEGRITYBloomberg: “the hoax erased $136 billion inequity market value in 3 minutes.”NUANCES OF CYBER SECURITY, CONT.CONFIDENTIALITYApril 2011 – 70 millionindividuals had usernames, passwords,birthdays, other personalinformation stolen.CIA triad to classify cyber breachRecent security events tied directly toConfidentiality, Integrity, Availability.14AVAILABILITYMultiple bank web-sitesdown due to DDoS April2013. Software issue causedhundred of flight cancelationsApril 2013.Stay up on breaches, hacks,exploits…if you don’t have thatvulnerability don’t mitigate.
    15. 15. NUANCES OF CYBER SECURITY, CONT.Confidentiality: All electronic information and physical access islimited to individuals with a need to know.Integrity: All electronic and physical component user and systemchange is controlled and monitored to prevent and detect any and alladditions, changes, and removals.Availability: All electronic and physical components are available andrecoverable.15CIA based security controls – Internal“By failing to prepare, we are preparingto fail.” – Ben Franklin
    16. 16. NUANCES OF CYBER SECURITY, CONT.Confidentiality: Out of the box softwaremust allow for all electronic andphysical component information toonly be accessed by individuals with aneed to know.Integrity: Out of the box software mustallow for all electronic and physicalcomponent user and system changesto be controlled and monitored to onlyallow authorized and preventunauthorized additions, changes, andremovals.Availability: Out of the box softwaremust allow for all electronic andphysical components to be availableand recoverable.CIA based security controls – Software & Vendor“An ounce of prevention is worth a pound ofcure.” – Ben Franklin2008 Cyber Security Procurement Language forControl Systems Version 1.8 (DHS, INL, MS-ISAC,SANS)16
    17. 17. 17
    18. 18. FAST BREAK - DEMODEMO:• Integrity: OS integrity will be changed - system event log will have shutdown event inserted.• Confidentiality: Access to box could happen by obtaining passwords through unencryptedtraffic (post-it note). (This demo shows Armitage….it works.)• Availability: System shut down – game over.18‘shutdown -s -t 900’ (-t 00 = immediately)‘shutdown –a’Availability „Payload‟http://www.fastandeasyhacking.com/images/screenshots/armitage4.png
    19. 19. 19
    20. 20. THE SECURITY JOURNEY. FOOTBALLSecurity in the game of football is easy…ifonly everything were…20
    21. 21. 1908 Ford Model T• Laminated glass (1930)http://commons.wikimedia.org/wiki/File:1926_Ford1926 Ford Model T• Turn signals (1939)Little harder…Pont A-BNight drivingTHE SECURITY JOURNEY. CARS212009 Lincoln MKS• Early Collision WarningBrake Support (2000s)Inattentive driver
    22. 22. THE SECURITY JOURNEY. ‘WHAT’S NEXT?’Extremely sensitive andimportant data. *Novisitors allowed.http://www.swissfortknox.com“Resistantagainst anyknown civil,terroristic andmilitary threat(ABC, EMP,earth quakes,floods,landslides andlarge-scalefires)”22
    23. 23. THE SECURITY JOURNEY. YOUR COMPANYInformation, cell phone, door,window, document, object, computer,person, place, thing, formula, etc.23What is the security journey for your industryor company like? Anyone ?
    24. 24. 24
    25. 25. SIMPLE SECURITY MODEL1. What are you securing? Must always start here.2. Define the World.3. Define the Threats.4. Define the Loss.5. Define the Security Measures (Spend or Mitigation).6. Define what will not be Secured (Spent or Mitigated).25Modified from Source: University of Minnesota – Twin Cities ( CSC5271 - KTB!)If the security program cannot tie back tothe object being secured, then the programmust change.
    26. 26. SIMPLE SECURITY MODEL - ANIMAL EXERCISE26Cheetah, Elephant, Gazelle, Giraffe, Gnu (wildebeest), Gorilla, Hippopotamus, Lion, Ostrich, Rhinoceros1. What are you securing? Using your animal(think of one if need be). Your animal is what youare securing.2. Define the World. What is the world the animallives in?3. Define the Threats. What will compromise theanimal?4. Define the Loss. What bad stuff can happen(include extremes)?5. Define the Security Measures (Spend orMitigation). What has the animal developed todeal with these threats and losses?6. Define what will not be Secured (SpentMitigated). What will the animal not worry about?Work by yourself, 1:1, groups, please take 3minutes to talk and work out this exercise…
    27. 27. 27Work by yourself, 1:1, groups, please take 3minutes to talk and work out this exercise…SIMPLE SECURITY MODEL - ANIMAL EXERCISE1. What are you securing? Using your animal(think of one if need be). Your animal is what youare securing.2. Define the World. What is the world the animallives in?3. Define the Threats. What will compromise theanimal?4. Define the Loss. What bad stuff can happen(include extremes)?5. Define the Security Measures (Spend orMitigation). What has the animal developed todeal with these threats and losses?6. Define what will not be Secured (SpentMitigated). What will the animal not worry about?Cheetah, Elephant, Gazelle, Giraffe, Gnu (wildebeest), Gorilla, Hippopotamus, Lion, Ostrich, Rhinoceros
    28. 28. 28By using security lessons from nature we realize that animals are only secureenough for the world they live in…and sometimes they do go extinct….butthey are extremely resilient and adapt when faced with unknowns….andhave 3B years of lessons for us to learn from.• Define the Security Measures (mitigation):• Size: The largest lion was recorded to be nearly 700pounds and nearly 11 foot long.• Age: The oldest lion on record was nearly 29 yearsold.• Vision: A lions eyesight is five times better than ahuman being.• Hearing: A lion can hear prey from a mile away.• Smell: Lions can smell nearby prey and estimatehow long it was in the area.• Sound: A lions roar can be heard from five milesaway.• Diet: Lions can go four days without drinking.• Humans and conservation projects (extra)• Define what will not be Secured.• Humans & Guns• Habitat ReductionSample Results: Lion• Define the World:• African Plains & Jungle• Define the Threats:• Humans & Guns• Loss of Habitat• Drought• Hunger• Other Lions & Animals• Define the Loss:• Death• Capture• ExtinctionFor more see: „Learning from the Octopus – HowSecrets from Nature can fight terrorist attacks, naturaldisasters, and disease‟ – Rafe SagarinSIMPLE SECURITY MODEL - ANIMAL EXERCISE1. What are you securing? Usingyour animal (think of one if need be).Your animal is what you aresecuring.2. Define the World. What is theworld the animal lives in?3. Define the Threats. What willcompromise the animal?4. Define the Loss. What bad stuffcan happen (include extremes)?5. Define the Security Measures(Spend or Mitigation). What has theanimal developed to deal with thesethreats and losses?6. Define what will not be Secured(Spent Mitigated). What will theanimal not worry about?
    29. 29. BUT ANIMALS ARE NOT COMPUTERS…Idea, object, door, window, document,computer, laptop, tablet, person, place,thing, formula, etc:• Cell phones• Databases• Intellectual property• Employee records• Patient records• Internet Connectivity• Insiders• Etc.291. What are you securing? Using your <object>(think of one if need be). Your <object> is whatyou are securing.2. Define the World. What is the world the<object> lives in?3. Define the Threats. What will compromisethe <object>?4. Define the Loss. What bad stuff can happen(include extremes)?5. Define the Security Measures (Spend orMitigation). What has the <object> developed todeal with these threats and losses?6. Define what will not be Secured (SpentMitigated). What will the <object> not worryabout?If the security program cannot tie back tothe object being secured, then the programmust change.
    30. 30. 30
    31. 31. WRAP UP311. What are you securing? Must always start here.2. Define the World.3. Define the Threats.4. Define the Loss.5. Define the Security Measures (Spend or Mitigation).6. Define what will not be Secured (Spent or Mitigated).If the security program cannot tie back tothe object being secured, then the programmust change.
    32. 32. EXTRA LESSON TIME - ANIMALS (INSECTS)DDoS (DNS Re-routing lesson from ants):“When an established path to a food source is blocked by an obstacle, theforagers leave the path to explore new routes. If an ant is successful, it leavesa new trail marking the shortest route on its return. Successful trails arefollowed by more ants, reinforcing better routes and gradually identifyingthe best [new] path.”-Goss S, Aron S, Deneubourg JL, Pasteels JM (1989). "Self-organized shortcuts in the Argentine ant"Under Attack (Information sharing lesson from ants):“Ants use pheromones for more than just making trails. A crushed ant emitsan alarm pheromone that sends ants into an attack frenzy and attracts moreants from farther away. “-DEttorre P, Heinze J (2001). "Sociobiology of slave-making ants".33
    33. 33. SLIDE REFERENCES343:http://farm4.static.flickr.com/3103/2853985315_b8805e2eb6.jpghttp://www.secmeme.com/2011/03/too-much-security.htmlhttp://eveopportunist.blogspot.com/2013/01/corp-security-part-1-risks-without.html6:http://www.scenicreflections.com/media/522287/forrest_trail_Wallpaper/http://pixdaus.com/files/items/pics/1/90/274190_2a5dba1dae456cf9576bfad78d36438f_large.jpghttp://www.altaplanning.com/App_Content/images/fp_img/pacific_crest_trail_fld.jpghttp://www.wallpaperhi.com/thumbnails/detail/20111201/fall_trail.jpghttp://www.ganeshbhandari.com/wp-content/uploads/2011/07/Mount-Everest-1.jpg7:http://teachersites.schoolworld.com/webpages/KJordan1/imageGallery/DinosaursRef1.gifhttp://upload.wikimedia.org/wikipedia/commons/f/f1/Maginot_Line_ln-en.jpghttp://www.reuters.com/article/2012/09/12/us-usa-security-nuclear-idUSBRE88B06E201209128:Source: http://money.cnn.com/galleries/2011/technology/1107/gallery.cyber_security_costs/4.htmlSource: http://datalossdb.org/statisticsSource: http://en.community.dell.com/dell-groups/dell_it_efficiency_metrics/w/overall_it_performance_metrics/it-spending-as-a-percent-of-overall-revenue.aspxSource: http://www.computerworld.com/s/article/9187239/How_much_should_you_spend_on_IT_security_16:https://www.asis2012.org/news/announcements/Documents/Utility%20Smart%20Grid%20Security.pdf?Mobile=1&Source=%2Fnews%2Fannouncements%2F_layouts%2Fmobile%2Fview.aspx%3FList%3D05cf25b5-c813-402e-8766-26867cdd4b7a%26View%3D8779b205-936e-4b86-aabb-f36578c11b8e%26CurrentPage%3D1http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurement_Language.pdf20:http://thumbs.dreamstime.com/z/nfl-football-field-eps-16199956.jpghttp://www.popularmechanics.com_Model_T_-_back_view.jpghttp://en.wikipedia.org/wiki/File:Collision_Warning_Brake_Support.jpg27:http://www.brecknock.com/colimonb28:http://www.lions.org/lion-the-animal-more.html
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×