Transcript Intro to I@R

InfoSec Controls Selection
Strategies
Presented to:
Oregon Connections
Telecom Conference
Presented by:
David Trepp, M.S.
October 23, 2014
Info@Risk Facts
•
•
•
•
Oregon S Corporation
Certified Veteran Owned Small Business
Assessment-Only Vendor
Providing Infosec Risk Analysis Services Since
January, 1998 and Performed Thousands of
Engagements
• Notable Project Team Certifications:
–
–
–
–
–
–
–
CISSP: Certified Information System Security Professional
CISA: Certified Information Systems Auditor
CWASS: Certified Web Application Security Specialist
CEH: Certified Ethical Hacker
CPT: Certified Penetration Tester
CHP: Certified HIPAA Professional
CSCS: Certified Security Compliance Specialist
Information Security
Safeguard Domains
Administrative
Physical
Technological
Human
Information Security
Impacts
•
The C-I-A Triad of Information
Security:
InfoSec Controls
• Security Controls Come in Three Flavors:
–Administrative
–Logical
–Physical
• Major Control Functions Include:
1. Preventative: Prevent an attack or security event prior to it occurring
e.g. firewall, access control list (ACL), door lock
2. Detective: Detect an attack, security event after OR during the attack/event
e.g. Intrusion Detection System (IDS), log monitoring, motion sensors
3. Corrective: Limit the damage / scope of an attack or security event
e.g. invoke IR procedure, restore trusted backup, remediate vulnerability
4. Deterrent: Deter (not stop) an attack, security event
e.g. security/privacy notices/warnings, visible cameras
5. Compensating: Provide counterbalance for a weakness in an applied control
e.g. System/process isolation, layers of AV/malware protection
6. Directive: Mandated by law, regulation, compliance
e.g. PCI, CJIS, InfoSec Policy
NIST InfoSec Risk Management Program
Source: NIST
Special Publication
800-37
Guide for Applying
the Risk
Management
Framework to
Federal
Information
Systems
Use A Risk Management Strategy
• Whether:
– Planning an Entire InfoSec Program
– Selecting Common InfoSec Controls
– Selecting InfoSec Controls for Any Given Application or
System
Step One: Categorize
• Perform Risk Assessment
• Five Pillars of Risk Assessment (from NIST SP-800-30)
I: Business (Clinical) Process Characterization
II: Systems Characterization
III: Threat Modeling
IV: Controls Documentation
V: Quantifying Risk (Risk = Likelihood * Impact)
 Ask the vendor pointed questions about their System’s security features
and configurations





Encryption: at rest & in transit
Credential storage
Default services
Default credentials
Account types and privileges
 For threat modeling, play the “what if” game for Confidentiality, Integrity
and Availability (CIA)
 Get upper management approval for acceptable risk thresholds
Step Two: Select
• Every System should have system-specific
security controls and common (network-wide)
security controls
 Best if chosen from a standardized catalog, e.g. ISO or NIST
 Many common organizational controls may already be in place, e.g. door
locks to server room, firewalls, etc., but make sure they are both
applicable and deployed to support the system
 System-specific controls may be administrative/contractual in nature





Limit administrative accounts in number and privilege
Ensure dual controls and least privilege
Encrypt
Disable unnecessary services
Change default account settings
 Consider Outsourced vs. In-house System Risks
Selection Planning Should…
All Systems & Applications
• Assume it’s your problem and your responsibility
It’s your institution, but you’re just one more client to a vendor
•
Assume that your users will attempt to circumvent/simplify controls
Teach them about secure passwords and password storage
•
Overestimate customization and integration costs
Cloud customization and integration are high-margin revenue sources for cloud providers
•
Include periodic incident response exercises
Cloud breaches and outages are a different animal altogether
•
Include periodic penetration testing
Networks and applications are never static
Outsourced/Cloud Systems & Applications
• Overestimate bandwidth usage
Bandwidth usage never shrinks
•
Assume that your IT team will need some technical cloud/outsourced app training
Or your organization will be easily taken advantage of and helpless in a crisis
•
Overestimate usage for pay-per-use costs
Pay-per-use services must be turned off when not in use (not a human strong suit)
•
Overestimate the number of users for pay-per-user costs
Lots of Salesforce.com installations have begun with just a handful of users, at a modest cost
•
Overestimate storage costs and de-duplicate where possible
Storage requirements (for both applications and their backups) never shrink
•
Establish resource caps with alerts
The cloud’s elasticity can result in runaway expenditures
•
Begin with a thorough InfoSec Risk Assessment
Making informed, risk-based decisions is paramount!
Systems & Applications Should Have…
All Systems & Applications
–
–
–
–
–
–
–
Ability to customize applications (or, at least, reporting)
Ability to interface applications
Ability to provide trial evaluation periods
No hardcoded credentials or keys
Secure development controls
Secure mobile support controls
Secure encryption controls
• In transit, e.g. IPSec with AES, SSH, SSL/TLS
• At rest (consider Hypervisor, OS, & DB levels)
–
–
–
–
–
–
–
ePHI & other sensitive data
Credential hashes
Session keys
Log files
Configuration files
Backup files
Data in RAM, e.g. credentials
Outsourced/Cloud Systems & Applications
–
–
–
–
–
–
–
Secure multi-tenant silos & virtualization controls
Secure authentication, authorization & access controls (i.e. more than an 8 char pw)
Rigorous patch management program for Hypervisor, OS, DB & Apps
Rigorous availability controls
Rigorous multi-tenant logging and audit trail controls, e.g. switches, routers, firewalls
Rigorous multi-tenant intrusion detection & alerting controls
Rigorous multi-tenant forensics controls, e.g. see NIST Interagency Report 8006
Step Three: Implement
• Implement security controls as prescribed by
Risk Assessment & Controls Selection
 With the possible exception of Cloud solutions, the system
vendor is rarely the appropriate party to implement security
controls protecting their system
 Administrative control implementations often conflict with
vendors’ “let’s keep it easy and inexpensive to support”
philosophy
 Easy remote access
 Standard, weak default credentials
 Vendors must be forced to toe the line as Business
Associates
Contract Controls Should Include…
All Systems & Applications
– Provisions for disclosure of all accounts, their minimum credential requirements, &
privilege levels
– Provisions for clear delineation of data & application ownership
– Inclusion of fees for all required services
– Provisions for trial evaluation periods
– Indemnity for patent, trademark, and copyright violations
– Provisions for dispute resolution
– Provisions for software escrow
– Provisions for penetration testing/vulnerability assessment
– Use of “shall” verbiage for due diligence and due care (instead of “best effort,” “goal,”
or “target” verbiage)
Outsourced /Cloud Systems & Applications
– FedRAMP compliance attestation
– SLA attestations, e.g. downtime, performance, etc.
– Provisions for data breach notifications, incident escalation & forensics
– Provisions for e-discovery data requests
– Provisions for normal, end-of-contract, or end-of-business data access & migration
– Evidence of vendor risk management (outsource/cloud vendor and their vendors)
• Test and Assessment results (or, at least, an auditor's cover letter)
• InfoSec polices, standards, procedures & controls
Step Four: Assess
Perform Risk Analysis Activities
 Covering all four Safeguard Domains




Administrative
Physical
Human
Technological
 Against all Impacts
 Confidentiality
 Integrity
 Availability
 Testing all Control Types
 Administrative
 Logical
 Physical
Step Five: Authorize
• Remediate vulnerabilities found during risk
analysis and Authorize as “functioning as
intended”
 Remediation can be the most onerous part of the process
 May require significant human-hours
 May involve third party vendors
 May involve budget line items
Step Six: Monitor
• Don’t fall asleep at the wheel, because
information systems are not “set it and forget
it” from a security perspective
 Patch management for vulnerable operating systems,
database engines, development environments, and the
Internet of Things is crucial, and often managed by the
vendor
 Monitor system logs and intrusion detection/prevention
systems
 Get stakeholders and vendors used to the idea of periodic
security testing, reporting, and meetings
• Rinse and Repeat, as necessary!
Conclusions
 Information Security is a balance between necessary access and restrictions
 Effective Information Security requires organizational understanding of business
needs and threats to information assets
 Thoroughly informed, risk-based decisions are a necessary element in achieving
Information Security balance
 Following a standard process for categorizing, selecting, implementing,
assessing, authorizing, and monitoring security controls aids informed decisionmaking and helps to avoid costly mistakes
Thank you!
Questions?
Contact Info:
David Trepp
President
[email protected]
877-328-7475