Information Security for
Corporate Security
Professionals

Or…Why Corporate Security
Professionals Should Care
About Information Security

Hello!
I am David Ksiazek
Security Services Director at Alliance Technology
Group
david.ksiazek@alliance-it.com

My Background
▪ System Administration
▪ SQL Development
▪ IT and Internal Audit, 2003-2010
▪ IT Security, 2008 – Present
▪ Worked on team that wrote FedRAMP HIGH
Baseline

Agenda

Agenda
▪ Impact of Physical Security Threats and How They
Affect Information Security
▪ Build and Use Cybersecurity RMF to Drive to
Informed Decision Making

Short Answer?

Why Should Corporate Security Professionals Care about
Information Security?
▪ Obvious: Data is valuable
▪ Obvious: IT assets are valuable

“Interconnectedness
between physical and logical systems means the
ability to affect physical security on an organization’s
premises no longer requires a physical presence on
said premises. “

Interconnectedness
▪ Enables theft without physical presence
▪ Can be enabled by systems meant to
prevent those very threats

Interconnectedness
▪ Physical assets increasingly connected to
logical systems: Internet of Things (IOT)
▪ Systems that protect these assets are
controlled by or at least connected to
Information Technology (IT) systems

Interconnectedness
▪ Operational Technology (OT) systems that control
physical assets are likely to be connected and
integrated into IT systems
▪ Compromising these systems is a major goal of
malicious actors

Interconnectedness
▪ Internet of Things (IOT) connected devices can be
used as data sources to direct Distributed Denial
of Service (DDOS) levels of data against the
intended target
▪ These same levels of data can also overwhelm the
network on which the infected devices exist;
rendering the devices useless to the owning
organization

Case Study : Mirai

Mirai Overview
▪ October 2016, Mirai botnet was used to DDOS DYN a
webhosting company
▪ a botnet is a collection of internet-connected computers, a
sort of hacked-together supercomputer can be use for
malicious purposes
▪ The DDOS came from re-routing the information from
compromised IOT devices, particularly IP cameras

Mirai Result
▪ Attack on DYN took down Twitter, the Guardian, Netflix,
Reddit, CNN
▪ DYN lost about 14,500 domain customers, about 12% of
total customers
▪ More than doubled the bandwidth usage for the 600,000
infected devices over the 77 hours of the attack

Loss of Control
“infected devices caused a degraded user experience for the
device owner, as devices that are involved in attacks can
interfere with the owner’s use of both the device and the
network to which it is connected”
- Berkeley School of Information Report

Mirai Means “Future”
▪ October 2017, massive new Botnet called Reaper forms
▪ Check Point has found that fully 60 percent of the networks
it tracks have been infected with the Reaper malware
▪ An estimated million organizations have already been
scanned with an unknown amount actually infected
▪ Recruiting IoT devices such as IP Wireless Cameras
▪ Check Point Researchers discovered ‘IoTroop’, evolving and
recruiting IoT devices at a far greater pace and with more
potential damage than the Mirai botnet of 2016.

Recommendations

Share and Share Alike
▪ Get your IT, OT, Physical Security and Risk Management
teams together
▪ Your IT group knows all about the technology side of
security, but they have little expertise in translating it into
business risk
▪ The parties need to understand one another and have
coordinated responses

Share and Share Alike

Organize Your Efforts
▪ Determine what information security standard applies to your
industry and base your cybersecurity framework on its practices
▪ We use and recommend National Institute of Standards and
Technology (NIST)’s:
▪ Framework for Improving Critical Infrastructure Cybersecurity
▪ SP 800-53 Recommended Security Controls for Federal Information
Systems
▪ Review your insurance coverage to ensure that at least one policy
(cyber, crime, property, or liability,) will respond to any successful
cyber attack

Use a Risk Management Framework
▪ Organizations often need to comply with more
than one framework based on any number of the
following requirements:
• Statutory (Sarbanes-Oxley-Sox, FISMA, NY-DFS,
GDPR)
• Regulatory (PII, HIPPA)
• Contractual (PCI, CUI)

Use a Risk Management Framework
▪ Frameworks often overlap coverage of control
areas
▪ Can be mapped to one another so compliance
once can be credited multiple times

Risk Management Framework - Policies
▪ Start with Policies
▪ Policies should be implemented that require
compliance with the relevant portions of the
identified RMFs
o Policies should be adopted and promoted at the
highest levels of the organization:
o Compel compliance efforts, and…
o Justify budget to enable compliance

Inventory
▪ You first have to know what you are securing
 Show of hands, who knows whether they have a complete
asset and configuration inventory?

It’s Classified
▪ Inventory your Assets, including Data
▪ And then Classify that data based on business criticality, as
well as on sensitivity/confidentiality of data
▪ NIST standard:
➢ C – Criticality
➢ I – Integrity
➢ A – Availability
➢ LOW
➢ MODERATE
➢ HIGH

It’s Classified
▪ The highest level of the three attributes (C-I-A) determines
the level of compliance required
▪ Low has a low level of controls required
▪ Moderate has more controls required
▪ High adds controls that generally automate the Moderate
controls

Inventory
▪ Identify critical assets (Physical and Logical) and network
access points at your facilities (both physical and logical)
▪ Determine how access is controlled
▪ Prioritize actions to improve access control where needed

Scan
▪ Assess assets regularly
▪ Scan for compliance with an approved baseline
configuration
▪ Scan to identify critical or vulnerable assets and scan them
for known vulnerabilities

Remediate
▪ Patch identified vulnerabilities
▪ High/Critical – As quickly as possible
▪ Moderate – Within 7-10 days
▪ Low – Within 30 days
▪ Scales vary, and can take asset criticality and exploitability
into account
▪ Update or re-image servers or workstations that are out of
compliance with approved baseline
▪ Use micro-segmentation or Software Defined Networking to
isolate assets

Incident Response
▪ Create a documented incident-response plan to prepare
employees to respond accordingly during cyber events
▪ Plans need to be part of a complete risk management
program, not just a document
▪ Test the plan. Tabletop simulation exercises can be a very
effective means of testing the adequacy of a plan and
restoration time windows

Thanks!
Any questions?
david.ksiazek@alliance-it.com