Understanding the Reproduction Definition Understanding the Reproduction Definition.
Understanding the security_organization
-
Upload
dan-morrill -
Category
Education
-
view
91 -
download
1
description
Transcript of Understanding the security_organization
CIS 264 Week 1
Highline Community College
Dan Morrill
Understanding the Security Organization
Roles within the companyRisks that are part of the regulatory landscape
(SOX, HIPAA, FERPA, PCI-DSS, etc.)Risks that are part of the business decisionsRisks that are part of the technology decisionsRisks that are part of the security decisions
HIPAA requires a firewall, the business decides to purchase CISCO because of an existing contract, Technology purchases a Cisco 7600 with a firewall module, security configures it to work on the network by opening ports and allowing access to services
What is the “security organization”?
Decisions for technological solutions will be made by people who do not understand the technology
Decisions for purchasing will be made by existing contracts and discounts with IT providers
Decisions might be locked in for years (Cisco, Microsoft, Linux) because of those contracts And it is hard to swap out technologies, it is
nearly impossible for a Windows shop to go to Linux in its entirety because of “lock in” with vendors
You see this now with cloud computing, and the attempt to avoid vendor lock in with any provider
Decisions made can be complex
Point solutions are still popular in organizationsTechnology and security need to understand what
needs to be protected in the organizationTechnology and security need to understand the
critical assets for business continuity (the systems the company needs to run to continue to do business)Every manager and executive thinks that their systems are
business critical and will make decisions about IT, Business Continuity, and Disaster recovery based on that perception
Businesses are highly politicalDon’t tell the VP you can’t do it, or won’t do it – they
will find a way to make it happen regardless of what IT says
Decisions will be made in isolation
Technology and security need to identify every IT solution in the company and how the interconnect to each other to deliver servicesThis includes new, old, vintage, and forgotten
systems and programsSome programs and systems will be orphaned
in the organization with no clear manager or maintainer
Some users do not want their systems upgraded or changed and will help kill new systems or changes
Some managers do not want to lose what political power they have – and will help kill new systems or changes
Decisions will be made on politics
Technology provides solutions to business problems, business problems are based on the perceived power of the people making those decisionsWhat are the systems we need to protectWho uses them and howWhat are the risks we are trying to reduce What is the highest priority risks (this is heavily
influenced by power both actual and perceived within an organization)
Are you reducing risks in the most cost effective way?Heavily dependent upon politics and power within the
organization
Decisions will be made based on perceived power and position
Risk = (threats x vulnerabilities) + (likelihood x impact) + (politics + positional power in the organization)
Risk is the probability of lossThis means uncertainty and messy answersThis means that the “risk” is open to political and
positional influence up and down the organizationRisk is the possibility of a threat
How likely is something to happen, how clever are the hackers, how clever is IT and security?
Risk is qualified (measured) by how likely something is to happen to the systemsThis is prone to second guessing, and lack of imagination
What is a “risk”?
A vulnerability is the weakness that makes the resource susceptible to the threat.
A threat is anything capable of acting against a resource in a manner that can result in harm (intentionally or accidentally).
The likelihood is a measure of how probable it is that the threat/vulnerability pair will be realized.
The severity is a measure of the magnitude of the consequences that result from the threat/vulnerability pair being realized for that resource.
Understanding Risks
Likelihood: Critical (5) – Exposure is apparent through casual use or with
publicly available information, and the weakness is accessible publicly on the InternetHigh (4) – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.Moderate (3) – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.Low (2) – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercisedExtremely Low (1) – The threat-source is part of a small and trusted group, controls prevent exploitation without physical access to the target, significant inside knowledge is necessary, or purely theoretical
Understanding Risks
Severity:Critical (4) – May allow full access to or control of the
application, system, or communication including all data and functionalityHigh (3) - May allow limited access to or control of the application, system, or communication including only certain data and functionalityModerate (2) – May indirectly contribute to unauthorized activity or just have no known attack vector. Impact may vary as other vulnerabilities or attack vectors are identified.Low (1) – May indirectly contribute to unauthorized activity or just have no known attack vector. Impact may vary as other vulnerabilities or attack vectors are identified.
Understanding Risks
Risk Exposure: 1 – 4 Low - May have some minor effect on the system, but likely little impact to
the organization overall. Recovering from such an impact will require minimal expenditures and resources. A single issue, by itself, may not place the integrity, availability, or confidentiality of a system at risk. Multiple issues in this category could be combined, however, in an exploit attempt.5 – 7 Moderate - May result in some tangible impact to the organization. The impact could be narrow in focus and perhaps only noted by a few individuals or parts of the organization. May cause organizational embarrassment. Recovering from such an impact will require some expenditure and resources.8 – 11 High - May cause an extensive system outage, and/or loss of customer or business confidence. May also result in compromise of a large amount of the organization’s information or services, including sensitive information. Recovering from such an impact will require a substantial amount of expenditure, resources, and time. These vulnerabilities should be taken seriously and addressed quickly.12+ Critical - This level of risk exposure is unacceptable for any aspect of the environment. It introduces a level of exposure that cannot be maintained over time. The remaining categories may be acceptable depending on the risk tolerance range.
Understanding Risks
Applied Risk Exposure:1 – 8 Low - Acceptable without review by
management9 – 25 Moderate - Management must determine whether corrective actions are required or decide to accept the risk26 – 39 High - Undesirable and requires corrective action. A plan must be developed to incorporate these actions within a reasonable period of time based on the discretion of management.40+ Critical - Undesirable and requires immediate corrective action
Understanding Risks
There are two primary approaches to information security at this timeProactiveReactive
Proactive – identify risks and vulnerabilities to systems before hackers do, and take appropriate actions to secure them and minimize risk
Reactive – wait to get hacked, then take appropriate measures and actions to secure them and minimize risk
Two approaches to security
Reactive information security has generally fallen out of favorMost companies do a combination of reactive and
proactive securityPatch updatesInternal security testingIf hacked – find the way they got in and fix it
Reactive information security has a hard time scaling to the organization because of the complexity of systems being used and the number of ways that networks are accessed
BYOD complicates the matter of reactive because it is very hard to define where the network boarder is
Reactive Information Security
Proactive information security is limited by:The imagination of people doing security risk
managementThe skills of the employees who conduct information
security surveys of the networkThe support of management to fix problems (that might be
critical but costly) in a reasonable period of time“Security as a Cost Center” the perception of no real
benefit to the company because nothing bad ever happensProactive information security is written into some
regulations by specifying that companies will accomplish tasks like third party network evaluations, firewalls, and other security systems as part of the companies operations
Proactive Information Security
One of the largest problems in information security is that there are a large number of “unknowns”It is unknown to most companies, law
enforcements, and governments just how many vulnerabilities there are out there
There is a broad and complex market for “Zero Day” vulnerabilities that are used by companies, criminals, law enforcement and governments without notifying the developer of those flaws
Most companies cannot and do not belong in the business of “zero day” research
Quantifying Unknowns
Quantifying Unknowns
Hacks get more complexHackers duration on the networks increasesAV might not catch it allFirewalls and SEIM systems might not see it
allCoders will never write unhackable codeSystems are exposed everywhere there is a
connectionOpen markets for vulnerabilitiesSlow OEM response at times to
vulnerabilities
With that in mind
You have to manage your networks, systems, access points, user front ends, and everything else with what you knowPeople in technology and/or information security that do
not constantly learn new stuff become obsolete within a year
You have to work with an often dysfunctional organization to learn to play politics to secure systems adequately
You have to trust OEM’s to deliver a patch in timeYou have to trust your systems based on what they are
seeingAnd you have to get creative with your skills to keep
your networks safe
You have to manage your networks and systems.
Questions?