Transcript Intro to I@R
InfoSec Controls Selection Strategies
Presented to:
Oregon Connections Telecom Conference
Presented by: David Trepp, M.S.
October 23, 2014
Info@Risk Facts
• Oregon S Corporation • Certified Veteran Owned Small Business •
Assessment-Only
Vendor • Providing Infosec Risk Analysis Services Since January, 1998 and Performed Thousands of Engagements • Notable Project Team Certifications: – CISSP: Certified Information System Security Professional – CISA: Certified Information Systems Auditor – CWASS: Certified Web Application Security Specialist – CEH: Certified Ethical Hacker – CPT: Certified Penetration Tester – CHP: Certified HIPAA Professional – CSCS: Certified Security Compliance Specialist
Information Security Safeguard Domains
A
dministrative Physical Technological Human
Information Security Impacts
•
The C-I-A Triad of Information Security:
InfoSec Controls
•
Security Controls Come in Three Flavors:
–Administrative –Logical –Physical •
Major Control Functions Include:
1.
Preventative
: Prevent an attack or security event prior to it occurring e.g. firewall, access control list (ACL), door lock 2.
Detective
: Detect an attack, security event after OR during the attack/event e.g. Intrusion Detection System (IDS), log monitoring, motion sensors 3.
Corrective
: Limit the damage / scope of an attack or security event e.g. invoke IR procedure, restore trusted backup, remediate vulnerability 4.
Deterrent
: Deter (not stop) an attack, security event e.g. security/privacy notices/warnings, visible cameras 5.
Compensating
: Provide counterbalance for a weakness in an applied control e.g. System/process isolation, layers of AV/malware protection 6.
Directive
: Mandated by law, regulation, compliance e.g. PCI, CJIS, InfoSec Policy
NIST InfoSec Risk Management Program
Source: NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems
Use A Risk Management Strategy
• Whether: – Planning an Entire InfoSec Program – Selecting Common InfoSec Controls – Selecting InfoSec Controls for Any Given Application or System
Step One: Categorize •
Perform Risk Assessment
• Five Pillars of Risk Assessment (from NIST SP-800-30) I: Business (Clinical) Process Characterization II: Systems Characterization III: Threat Modeling IV: Controls Documentation V: Quantifying Risk (Risk = Likelihood * Impact) Ask the vendor pointed questions about their System’s security features and configurations Encryption: at rest & in transit Credential storage Default services Default credentials Account types and privileges For threat modeling, play the “what if” game for Confidentiality, Integrity and Availability (CIA) Get upper management approval for acceptable risk thresholds
Step Two: Select •
Every System should have system-specific security controls and common (network-wide) security controls
Best if chosen from a standardized catalog, e.g. ISO or NIST Many common organizational controls may already be in place, e.g. door locks to server room, firewalls, etc., but make sure they are both applicable and deployed to support the system System-specific controls may be administrative/contractual in nature Limit administrative accounts in number and privilege Ensure dual controls and least privilege Encrypt Disable unnecessary services Change default account settings Consider Outsourced vs. In-house System Risks
• •
Selection Planning Should…
All Systems & Applications Assume it’s your problem and your responsibility It’s your institution, but you’re just one more client to a vendor Assume that your users will attempt to circumvent/simplify controls Teach them about secure passwords and password storage • • Overestimate customization and integration costs Cloud customization and integration are high-margin revenue sources for cloud providers Include periodic incident response exercises Cloud breaches and outages are a different animal altogether • Include periodic penetration testing Networks and applications are never static • • • • • • • Outsourced/Cloud Systems & Applications Overestimate bandwidth usage Bandwidth usage never shrinks Assume that your IT team will need some technical cloud/outsourced app training Or your organization will be easily taken advantage of and helpless in a crisis Overestimate usage for pay-per-use costs Pay-per-use services must be turned off when not in use (not a human strong suit) Overestimate the number of users for pay-per-user costs Lots of Salesforce.com installations have begun with just a handful of users, at a modest cost Overestimate storage costs and de-duplicate where possible Storage requirements (for both applications and their backups) never shrink Establish resource caps with alerts The cloud’s elasticity can result in runaway expenditures Begin with a thorough InfoSec Risk Assessment Making informed, risk-based decisions is paramount!
Systems & Applications Should Have…
All Systems & Applications – Ability to customize applications (or, at least, reporting) – Ability to interface applications – Ability to provide trial evaluation periods – No hardcoded credentials or keys – Secure development controls – Secure mobile support controls – Secure encryption controls • In transit, e.g. IPSec with AES, SSH, SSL/TLS • At rest (consider Hypervisor, OS, & DB levels) – ePHI & other sensitive data – Credential hashes – Session keys – Log files – Configuration files – Backup files – Data in RAM, e.g. credentials Outsourced/Cloud Systems & Applications – Secure multi-tenant silos & virtualization controls – Secure authentication, authorization & access controls (i.e. more than an 8 char pw) – Rigorous patch management program for Hypervisor, OS, DB & Apps – Rigorous availability controls – Rigorous multi-tenant logging and audit trail controls, e.g. switches, routers, firewalls – Rigorous multi-tenant intrusion detection & alerting controls – Rigorous multi-tenant forensics controls, e.g. see NIST Interagency Report 8006
Step Three: Implement •
Implement security controls as prescribed by Risk Assessment & Controls Selection
With the possible exception of Cloud solutions, the system vendor is rarely the appropriate party to implement security controls protecting their system Administrative control implementations often conflict with vendors’ “let’s keep it easy and inexpensive to support” philosophy Easy remote access Standard, weak default credentials Vendors must be forced to toe the line as Business Associates
Contract Controls Should Include…
All Systems & Applications – Provisions for disclosure of
all
accounts, their minimum credential requirements, & privilege levels – Provisions for clear delineation of data & application ownership – Inclusion of fees for
all
required services – Provisions for trial evaluation periods – Indemnity for patent, trademark, and copyright violations – Provisions for dispute resolution – Provisions for software escrow – Provisions for penetration testing/vulnerability assessment – Use of “shall” verbiage for due diligence and due care (instead of “best effort,” “goal,” or “target” verbiage) Outsourced /Cloud Systems & Applications – FedRAMP compliance attestation – SLA attestations, e.g. downtime, performance, etc.
– Provisions for data breach notifications, incident escalation & forensics – Provisions for e-discovery data requests – Provisions for normal, end-of-contract, or end-of-business data access & migration – Evidence of vendor risk management (outsource/cloud vendor and
their
• Test and Assessment results (or, at least, an auditor's cover letter) • InfoSec polices, standards, procedures & controls vendors)
Step Four: Assess
Perform Risk Analysis Activities
Covering all four Safeguard Domains Administrative Physical Human Technological Against all Impacts Confidentiality Integrity Availability Testing all Control Types Administrative Logical Physical
Step Five: Authorize •
Remediate vulnerabilities found during risk analysis and Authorize as “functioning as intended”
Remediation can be the most onerous part of the process May require significant human-hours May involve third party vendors May involve budget line items
Step Six: Monitor •
Don’t fall asleep at the wheel, because information systems are not “set it and forget it” from a security perspective
• Patch management for vulnerable operating systems, database engines, development environments, and the Internet of Things is crucial, and often managed by the vendor Monitor system logs and intrusion detection/prevention systems Get stakeholders and vendors used to the idea of periodic security testing, reporting, and meetings
Rinse and Repeat, as necessary!
Conclusions
Information Security is a balance between necessary access and restrictions Effective Information Security requires organizational understanding of business needs and threats to information assets Thoroughly informed, risk-based decisions are a necessary element in achieving Information Security balance Following a standard process for categorizing, selecting, implementing, assessing, authorizing, and monitoring security controls aids informed decision making and helps to avoid costly mistakes
Contact Info: David Trepp President [email protected]
877-328-7475