CIS 264 Week 1

Highline Community College

Dan Morrill

Understanding the Security Organization

Roles within the companyRisks that are part of the regulatory landscape

(SOX, HIPAA, FERPA, PCI-DSS, etc.)Risks that are part of the business decisionsRisks that are part of the technology decisionsRisks that are part of the security decisions

HIPAA requires a firewall, the business decides to purchase CISCO because of an existing contract, Technology purchases a Cisco 7600 with a firewall module, security configures it to work on the network by opening ports and allowing access to services

What is the “security organization”?

Decisions for technological solutions will be made by people who do not understand the technology

Decisions for purchasing will be made by existing contracts and discounts with IT providers

Decisions might be locked in for years (Cisco, Microsoft, Linux) because of those contracts And it is hard to swap out technologies, it is

nearly impossible for a Windows shop to go to Linux in its entirety because of “lock in” with vendors

You see this now with cloud computing, and the attempt to avoid vendor lock in with any provider

Decisions made can be complex

Point solutions are still popular in organizationsTechnology and security need to understand what

needs to be protected in the organizationTechnology and security need to understand the

critical assets for business continuity (the systems the company needs to run to continue to do business)Every manager and executive thinks that their systems are

business critical and will make decisions about IT, Business Continuity, and Disaster recovery based on that perception

Businesses are highly politicalDon’t tell the VP you can’t do it, or won’t do it – they

will find a way to make it happen regardless of what IT says

Decisions will be made in isolation

Technology and security need to identify every IT solution in the company and how the interconnect to each other to deliver servicesThis includes new, old, vintage, and forgotten

systems and programsSome programs and systems will be orphaned

in the organization with no clear manager or maintainer

Some users do not want their systems upgraded or changed and will help kill new systems or changes

Some managers do not want to lose what political power they have – and will help kill new systems or changes

Decisions will be made on politics

Technology provides solutions to business problems, business problems are based on the perceived power of the people making those decisionsWhat are the systems we need to protectWho uses them and howWhat are the risks we are trying to reduce What is the highest priority risks (this is heavily

influenced by power both actual and perceived within an organization)

Are you reducing risks in the most cost effective way?Heavily dependent upon politics and power within the

organization

Decisions will be made based on perceived power and position

Risk = (threats x vulnerabilities) + (likelihood x impact) + (politics + positional power in the organization)

Risk is the probability of lossThis means uncertainty and messy answersThis means that the “risk” is open to political and

positional influence up and down the organizationRisk is the possibility of a threat

How likely is something to happen, how clever are the hackers, how clever is IT and security?

Risk is qualified (measured) by how likely something is to happen to the systemsThis is prone to second guessing, and lack of imagination

What is a “risk”?

A vulnerability is the weakness that makes the resource susceptible to the threat.

A threat is anything capable of acting against a resource in a manner that can result in harm (intentionally or accidentally).

The likelihood is a measure of how probable it is that the threat/vulnerability pair will be realized.

The severity is a measure of the magnitude of the consequences that result from the threat/vulnerability pair being realized for that resource.

Understanding Risks

Likelihood: Critical (5) – Exposure is apparent through casual use or with

publicly available information, and the weakness is accessible publicly on the InternetHigh (4) – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.Moderate (3) – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.Low (2) – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercisedExtremely Low (1) – The threat-source is part of a small and trusted group, controls prevent exploitation without physical access to the target, significant inside knowledge is necessary, or purely theoretical

Understanding Risks

Severity:Critical (4) – May allow full access to or control of the

application, system, or communication including all data and functionalityHigh (3) - May allow limited access to or control of the application, system, or communication including only certain data and functionalityModerate (2) – May indirectly contribute to unauthorized activity or just have no known attack vector.  Impact may vary as other vulnerabilities or attack vectors are identified.Low (1) – May indirectly contribute to unauthorized activity or just have no known attack vector.  Impact may vary as other vulnerabilities or attack vectors are identified.

Understanding Risks

Risk Exposure: 1 – 4 Low -  May have some minor effect on the system, but likely little impact to

the organization overall.  Recovering from such an impact will require minimal expenditures and resources.  A single issue, by itself, may not place the integrity, availability, or confidentiality of a system at risk.  Multiple issues in this category could be combined, however, in an exploit attempt.5 – 7             Moderate - May result in some tangible impact to the organization.  The impact could be narrow in focus and perhaps only noted by a few individuals or parts of the organization. May cause organizational embarrassment.  Recovering from such an impact will require some expenditure and resources.8 – 11          High - May cause an extensive system outage, and/or loss of customer or business confidence.  May also result in compromise of a large amount of the organization’s information or services, including sensitive information.  Recovering from such an impact will require a substantial amount of expenditure, resources, and time.  These vulnerabilities should be taken seriously and addressed quickly.12+             Critical - This level of risk exposure is unacceptable for any aspect of the environment.  It introduces a level of exposure that cannot be maintained over time.  The remaining categories may be acceptable depending on the risk tolerance range.

Understanding Risks

Applied Risk Exposure:1 – 8             Low -  Acceptable without review by

management9 – 25         Moderate -   Management must determine whether corrective actions are required or decide to accept the risk26 – 39      High -  Undesirable and requires corrective action.  A plan must be developed to incorporate these actions within a reasonable period of time based on the discretion of management.40+             Critical -  Undesirable and requires immediate corrective action

Understanding Risks

There are two primary approaches to information security at this timeProactiveReactive

Proactive – identify risks and vulnerabilities to systems before hackers do, and take appropriate actions to secure them and minimize risk

Reactive – wait to get hacked, then take appropriate measures and actions to secure them and minimize risk

Two approaches to security

Reactive information security has generally fallen out of favorMost companies do a combination of reactive and

proactive securityPatch updatesInternal security testingIf hacked – find the way they got in and fix it

Reactive information security has a hard time scaling to the organization because of the complexity of systems being used and the number of ways that networks are accessed

BYOD complicates the matter of reactive because it is very hard to define where the network boarder is

Reactive Information Security

Proactive information security is limited by:The imagination of people doing security risk

managementThe skills of the employees who conduct information

security surveys of the networkThe support of management to fix problems (that might be

critical but costly) in a reasonable period of time“Security as a Cost Center” the perception of no real

benefit to the company because nothing bad ever happensProactive information security is written into some

regulations by specifying that companies will accomplish tasks like third party network evaluations, firewalls, and other security systems as part of the companies operations

Proactive Information Security

One of the largest problems in information security is that there are a large number of “unknowns”It is unknown to most companies, law

enforcements, and governments just how many vulnerabilities there are out there

There is a broad and complex market for “Zero Day” vulnerabilities that are used by companies, criminals, law enforcement and governments without notifying the developer of those flaws

Most companies cannot and do not belong in the business of “zero day” research

Quantifying Unknowns

Quantifying Unknowns

Hacks get more complexHackers duration on the networks increasesAV might not catch it allFirewalls and SEIM systems might not see it

allCoders will never write unhackable codeSystems are exposed everywhere there is a

connectionOpen markets for vulnerabilitiesSlow OEM response at times to

vulnerabilities

With that in mind

You have to manage your networks, systems, access points, user front ends, and everything else with what you knowPeople in technology and/or information security that do

not constantly learn new stuff become obsolete within a year

You have to work with an often dysfunctional organization to learn to play politics to secure systems adequately

You have to trust OEM’s to deliver a patch in timeYou have to trust your systems based on what they are

seeingAnd you have to get creative with your skills to keep

your networks safe

You have to manage your networks and systems.

Questions?