Stop Managing Security.Start Managing Risk.

CIO Interact Conference

8 May 2007

Security Governance

Darren O’Loughlin

General Manager - Security

Dimension Data Australia

Governance Challenges: Perceptions & Reality

IT Security is viewed as an expense and NOT an enabler

• a regulatory and governance requirement and not a business enabler

Security budgets and technology investment decisions may not be appropriately align to its risk management framework

Governance Challenges: Perceptions & Reality

Information Security Governance is relegated to the IT Department and NOT addressed at the executive level of the organisation

• IT department personnel are limited in capacity; focused on service delivery and prioritises based on business requirements with security as an addendum

• The focus of the security within the environment is typically focused on specific tactical requirements and not aligned to address critical security risks which may impact the overall environment

• Without a formal framework mandated by the executive a security governance discipline will not be attained and will always be best effort rather that a duty of care

Governance Challenges: People & Processes

Few organisations have the internal expertise and resources to handle the challenges inherent in providing and maintaining an adequate security posture

• Security is a relative new discipline and covers a multitude of IT functions− e.g., from Secure Coding practices to Risk Management

• Dedicated Security Officer / function unlikely in small to medium enterprises

• Security personnel with appropriate risk governance, management, architecture and technical skills can be expensive to recruit, hire and retain which is a challenging problem for organisations with limited IT budgets

Governance Challenges: Technology

Infrastructure

• Converged Network

• Costs (Firewalls, IPS, VPNs, Proxies, RAS, Enterprise Vulnerability Management)

Allocation of either excessive or insufficient funding to address residual risks resulting in inconsistent and inappropriate applications of technology security controls

Technology Competencies

• Deploying, learning and managing new security technology is challenging

Reactive investments resulting in disparate security measures / architecture to address ad-hoc business initiatives

Governance Challenges: Compliance

Top Down Risk Assessment Approach?

• Independent Audits, including: − Internal & External

− Special Audits

• Regulatory Drivers, including: − Privacy Act – National Privacy Principles

− Payment Card Industry Data Security Standards (PCI)

− Sarbanes-Oxley

− Basel II

− Federal Government

− Corporate Governance (Corporations Law)

Governance Challenges: Drivers for Change

Business Threats

• Loss of public confidence / reputation;

• Privacy loss;

• Direct business losses (e.g., Fraud);

• Business disruption; and

• Legal liability.

Governance Challenges: Drivers for Change

Vulnerabilities

• Software defects− (design & coding flaws)

• Configuration errors− (dangerous and unnecessary services, default configurations, administrative access

and administration errors)

Enterprise Case Study

IP Address RangesActiveAssets

RISK

High Med Low Informational

10.2.0.0 - 255.255 786 377 903 1169 1380

10.4.0.0 - 255.255 639 525 853 968 1117

10.59.0.0 - 255.255 993 402 416 772 800

10.114.0.0 - 255.255 107 31 84 416 349

10.120.9.0 - 102.170 256 46 116 411 245

Sub Total 1381 2372 3736 3891

3753

2781

Threat and Vulnerability Management Strategy

Defence in Depth Strategies

• Adopt and embed an organisational specific ISMS Framework

• Adopt a Vulnerability Management strategy

• Network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from viruses, worms and spyware

• Inline Intrusion Prevention Systems

• Improve End Point Security

• Application specific firewalls or leverage application awareness of existing firewalls

• Deploy additional antivirus protection points

Michael Sentonas

Director, SE & Services - APAC

McAfee

Stop Managing Security.Start Managing Risk.

Inefficient Risk & Compliance Approach

Processes

• “Fire-drill” response lacks workflow

• Spreadsheet and Post-it

• Scan everything and fix everything approach

People

• Manual approach

• Multiple audiences

• Lack of coordination

Technologies

• Too many vendors

• Little integration

• Too much data

• Too many agents

• Too many consoles

Result? Wasted resources, subjective risk scores, lack of visibility and inconsistent report

Do you know which security risks you face?

If you can’t measure it, you can’t manage it

• Is your security spend reducing your risk exposure?

Our digital neighborhood keeps getting tougher and riskier every day:

• Threats are increasing in number – more than 2,000 a day

• More than 200,000 online threats over next two years, more than total of past 20 years – McAfee Avert Labs

• Hackers compete to have a “month of browser bugs”

• More high risk vulnerabilities released in 2006 than all of 05 & 06

• OS vendors taking months to release patches

Our speed of reaction determines how well we do against the “bad guys”

• We need to respond appropriately with proper testing and change control

Source: Computer Security Institute

Do you know what you are protecting?

Not all assets created equally

• If a server stops working the business stops

• If the reception computer stops the receptionist uses pen and paper

Do you focus on protecting the most valuable assets first?

Some threats may not impact you - other threats may be critical

Do you know which applications are on your computers?

• When SQL Slammer hit, many businesses were surprised to find SQL databases on their user’s computers not just on corporate servers

Consider:

♦Business value of the asset

♦Vulnerabilities that exist on each asset

♦Probability that a threat could compromise the vulnerability

♦Existence of a properly configured countermeasure

Risk = A x V x T

CM CM CM

Implement a Priority-Based approach

Effective VM allows you to always focus on the most critical assets first

The purpose should be to calculate risk

• Potential risk vs realised risk

Risk: correlate the known presence of a vulnerability… ….on a business-critical asset ….with a real-time threat exploiting that vulnerability ….considering any countermeasures in place

Automate the process to effectively streamline and create efficiencies

Risk Identification

Identify potential exposures

• Attack surface area

Create a inventory of all risk exposures

• Identify known vulnerabilities

• Classify vulnerabilities− boundary condition, input validation, etc.

Identify impact of vulnerability

• Impact (High, Medium Low) or use a numerical scale− How serious is the vulnerability?

Remote or local access User or privileged access

− What objects are exposed Files, directories, data, passwords, etc.

− Does it impact Confidentiality, Integrity, Availability?

Understand the threats you face

Unrealized Threats

• Who or what can exploit vulnerabilities

• Attack Vectors− Internet vs. Internal− Email propagation vs. one off attacks− Worms – Is it the next security Tsunami?

• Ease of exploitation− Is it trivial or theoretical?− Publicly available exploit

• Actors− Are you or your industry a target?

Realized

• Event driven threats− Already happened− IDS attacks− Firewall or host logs

Remediation / Resolution

Apply the Pareto Principle – the 80/20 rule

• Focus on the vital few not the trivial many

• 80% of your risk can be eliminated by addressing 20% of the issues

• Approach:− Address the greatest risks

− Strive for sufficient risk mitigation at the lowest cost

− Minimal impact to the business

Patching or Mitigate

• Impact on availability from a bad patch vs. the risk of not patching

• Patch or mitigate

• Recommendations:− QA security patches 24 hours

− Determine if there are wide spread problems

− Implement defense in-depth

Are you more secure today?

…than you were yesterday or last year?

Without changes your network will get less secure

Score your network - 0-100 security scoring system based on vulnerabilities and asset criticality

Ensure you have a clear risk score immediately visible as a statement of overall enterprise risk level

Include executive dashboards for comparing business units/regions, platforms and tracking/reporting key statistics

Stop Managing Security.Start Managing Risk.

Darren O’Loughlin:

darren.o’loughlin@didata.com.au

Michael Sentonas:

michael_sentonas@mcafee.com