Managing risk & compliance, enabling growthJacob Herbst, [email protected] Scandinavian Conference – April 23th 2012
Presentation
• Jacob Herbst• Master of Engineering, master thesis in data secuirty• Working with IT security since 1995• Co-founder and CTO (technical manager), Dubex A/S
• Dubex A/S• Focused and specialized in IT security since 1997• 50 employees in Copenhagen and Aarhus – two third working
with delivering IT security solution and services• Privately owned by the original founders and employee shares• Profitable all years since formation• Turnover 2011 – DKK 80m / EUR 10.7m.• Self-financing - Dun & Bradstreet AAA rating• Largest it security solution focused company in Denmark• Solutions and services around network- and content security,
remote access, mobility, authentication, log management and compliance
• Only ISO 27001 certified Danish IT security solution company
Dubex, Aarhus
Dubex, Copenhagen(from June 2012)
Agenda
IT challenges 2012User empowermentVirtualization and cloudTreats and incidentsDefense in depthRisk managementConclusion
IT is the business
• IT is the foundation for everything• The credit crises has set focus on cost
optimization and efficiency improvements• Mission for IT department:
Reference: Gartner Executive Programs - Reimagining IT: The 2011 CIO Agenda
The Six Styles of the Money-Making CIO
1) Entrepreneurial CIO2) Cost Optimization CIO3) Revenue-Creating CIO4) Business Innovation CIO5) Business Development CIO6) Public-Serving CIO
Reference: The 2011 Gartner Scenario: Current States and Future Directions of the IT Industry
Increase earnings and enable growth
IT Challenges
Internal business demands• Cost reduction• Green IT• Flexibility and adaptability• Availability and performance
Internal user demands• Access to social media• Mobil access everywhere• Work/life balance• Consumerization and user empowerment
External Demands• Compliance• Customer expectations• Agreements and SLA
Applications• Web based application• Peer-to-peer application• Web 2.0 (social media, wiki, blogs)• New mobile operating systems and
applications
Threats• Organized crime• Targeted attack - APT• Random attacks and data loss • Day-0 vulnerability
Technological evolution• Wireless technologies and mobile devices• Bandtwidth, network and IPv6• Telepresense • Open Source
The perception of IT security
• The IT security budget often a fixed percentage of the IT budget• Reactive security• Implicate that security is a duty imposed on IT operations• Difficult to calculate ROI – what is the cost of an incident avoided?
• IT security as risk management• Related to the commercial business risk• Optimizing costs in proportion to potential commercial losses• IT security as an enabler supporting the business enabling new revenues• The IT security spending becomes linked to commercial risk
Security as a cost of doing buissness
•”Guards, Guns and Gates”
•Reactive security
•Main drivers:•Legislation•insurance•Security and responsibility
Security as a strategic decision
•More proactive
•Formalized processes
•Business case based on cost savings and preventing loss
Security as an business enabler
•Security is an strategic part of the business
•Risk management as a management tool
•Increase productivity
•Solutions supporting both business and security
Evolving IT security objectives
Internal focusOnly access to own employees
External focusSuppliers, partners and customers all
need difference kinds of access
Centralized valuesData kept in centrally well protected IT
fortress
Distributed valuesData is spread on distributed servers, devices, locations and departments
Prevent lossThe goal with IT security is to prevent
breach in confidentiality
Increase earningsSupport e-business, enable growth, increase productivity, flexibility, etc.
IT decideThe security manager decide access
rules and policies
Business decideBusiness units decides who should
have access
Past... ... present
By inspiration from Forrester Research, Inc
Technical focusTechnical requirements decide the IT
security spending
ROI focusIT security spending must commercial
justified
Drivers – IT security as enabler
Technology• New wireless
technologies: 3G, 4G LTE, WLAN, WiMax etc.
• Convergence: Everything become network based
• Unified Communication, VPN, VoIP, iSCSI, Mobility, Web etc.
• Virtualisering• Cloud computing
Mobility• Better options for
mobility and remote access
• Supports faster reaction• Smartphones and
tablets• Portable storage
devices, that might contain confidential data - SD and USB devices
Communication• Many parties have
access to network and services
• Many entrances to the network
• E-business - Intranet, Extranet and partner net
• Access to internal data• Cost savings
Compliance• Legislation, rules and
standards have requirements to our it-systems
• SOX, EU-SOX, HIPAA, PCI, ISO27001
• Formalized change control, monitoring and log consolidation
Security as enabler
Why the focus on mobility?
http://www.morganstanley.com/institutional/techresearch/
Computing Growth Drivers Over Time, 1960-2020E
1.000.000
100.000
10.000
1000
100
10
1
1960 1970 1980 1990 2000 2010 2020Dev
ices
/use
rs(m
ilion
. –lo
garit
hmic
)
Desktop Internet• 1 mia.+
Mobile Internet• 10 mia.+
Mainframecomputing1 mio.+
Mini Computer• 10 mio.+
PersonalComputing• 100 mio.+
Internet of things• 100 mia.+
Each cycle:• More CPU power• Better user
interface• Smaller physical
size• Lower cost• More services
Latest cycles has typically lasted 10 years
State of the Internet…Mobile Will Be Bigger Than Desktop Internet in 5 Years
Morgan Stanley, april 2010
Consumerization
Consumerization of our IT usage
Consumer hardware used for workConsumer services used for work
Bring your own device - mixture of private and company usage of devices and data
Medarbejdere anvender ”forbrugerløsninger” tilat udføre sit arbejde – fx Facebook og Skype Q. You received offers from two
organizations that are equal in terms of opportunity and reputation…
Offer A: Higher salary, but no workplace flexibility
Offer B: Lower salary, with workplace flexibility
Source: The Cisco Connected World Report 2010
34% 66%
78% of IT organizations are concerned about the risks of employee driven, unsanctioned use of Web 2.0 tools and technologies
Source: Forrester Research
50% of respondents said they "customize their work environment moderately or aggressively" (including the use of unsanctioned tools) and will continue to do so.
Source: Gartner Research poll
Infrastructure evolution
FutureCloud ComputingMobile Enterprise
PresentPartial virtualization
Partial mobility
PastServers are monolithic
Limited mobility
Virtualization
• Consolidation – less hardware• Reduced cost – less energy• Green IT• Increase flexibility and agility• Better separation of duties• Better backup and disaster recovery• Cloud computing - den most important ”enabler” technology
• Important tool to make IT more efficient
Source: The Cisco Connected World Report 2010
What factors inhibit data center virtualization?Security 20%
Stability of virtualized environment 18%
Difficulty building operational processes 16%
Management/administration 16%
Proprietary virtualization solutions 15%
Conflicts in IT organizations on ownership 14%
Other 1%
What is your company’s greatest concern regarding its data center?
Security
Performance
Reliability/Uptime
Enabling technologies
Virtualization• Efficient utilization
of resources• Faster provisioning• Economics of scale• Lower cost
Open standards• Common protocols• Web 2.0 – user-
friendly web applications
Internet & band width• Inexpensive band
width• Global connectivity
Storage
Servers
Hypervisor
VirtualMachines
Managem
ent
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
Management Automation
Network
Cloud computing
• Compliance - Cloud Computing• How is data in reality protected?• Availability – redundancy and backup?• Legislation – where in the world are your data?• Missing separation between administrative duties
• Internal and external Cloud-solutions demands flexible and scalable IT security solutions
Where in the world are ”my”
data?
Where in the world are ”my”
data?
What is the risk associated with sharing
applications, platform and infrastructure with others?
What is the risk associated with sharing
applications, platform and infrastructure with others?
Do my Cloud vendor have
focus on security?
Do my Cloud vendor have
focus on security?
How is my data protected – does it comply to my
requirement to confidentiality?
How is my data protected – does it comply to my
requirement to confidentiality?
Am I allowed to store data from my
organization on non-company equipment?
Am I allowed to store data from my
organization on non-company equipment?
How do I audit and penetration test my
Cloud based infrastructure?
How do I audit and penetration test my
Cloud based infrastructure?
By 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data.
Gartner’s Top Predictions - 2011 and Beyond
By 2015, 80% of enterprises using external cloud services will demand independent certification that providers can restore operations and data.
Gartner’s Top Predictions - 2011 and Beyond
Threats
• More advanced and sophisticated attacks - APT• Crime and profit driven• Cyber warfare and espionage• Cyber terrorism and hacktivisem
Worms and botnets
Data loss
APT
Random Internet users
Credit card handling companies
Governments and critical infrastructure
Simple attacksSPAM, worms and botnets
Advanced data theft
Advanced targeted attacks –spear phishing
Probability Objectives Metode
Incidents
Stuxnet• Advanced malware infects nuclear program• Cost: Unknown….
RSA• Spear phishing used to steal SecurID tokens seeds• Cost: USD 50-100 million
Epsilon• 100.000 customers compromised following spear phishing• Cost: USD 100 million – USD 4 billion.
Lockheed Martin Corporation• Remote access tried compromised via stolen SecurID token seed• Cost: Ukendte…
Sony Playstation Network• Anonymous attack – 100 million users compromised• Cost: USD 13.4 billion
DigiNotar• CA infrastructure compromised – fraudulent certificates issued• Cost: Unknown … DigiNotar went bankrupt
Vulnerabilities and attackers
How are we vulnerable ?• Technical
• Vulnerabilities and weakness in software
• Physical• Fire, strike of lightning,
flooding etc.• Operational
• Misconfiguration, faulty use etc.
• Human• Social engineering,
thoughtless etc.
Who are the attackers?
Inspiration: Microsoft
Nationalinterest
Personalprestige
Curiosity
Script-Kiddy Student Expert Specialist
Greatest loss
Most resources used on protection
Largest in numbers
Vandal
Unwelcome visitor
Hactivisem
Cyberwar
IT Criminals
Anonymous
Visible
Economiccrime
Solutions - Security in depth
• Various different, redundant and independent security functions• Gateway level• Network level• Host level• Endpoints
• Generic security functions• Secured design – proactive security• Active protection – reactive security• Montoring
Policies and procedurs
Physical security
Perimeter security
Network security
Application security
Host security
Data security
Complexity of security
• Security is complex• More tasks• Lacking internal resources and
competences• Attacks becoming more complex and more
frequent• Substantial and increasing cost by data
loss incidents
• Required to add business value• Documented correlations between
commercial risk and IT security
• Budget consideration• Buying services or invest in products• Provide commercial advantages –
optimizing business processes to justify increase budgets
Source: InformationWeek - 2011 Strategic Security Survey: CEOs take Notice
Challenges – organizing security
Common problems in managing security
Consequences - security
Gaps in security Difficult administration and
operations High costs Lacking focus Bed Return On Investment Interruptions Lost credibility og customers Solutions not matching attacks Unnecessary duplication
Lacking a clear strategy Not planned ”good enough” Fragmented security solutions Lacking overview of what in
reality ought to be protected Shared responsibility – no central
responsibility Reactive – driven by specific
incidents
Eric Ouellet, Gartner: “What we have found is that organizations that spend more than seven percent of the IT budget on security are actually less secure because they use reactionary approaches. They end up with point solutions where there’s no overarching theme and no integration.”
http://www.securecomputing.net.au/News/123479,gartner‐dispels‐security‐myths.aspx
Management focus on IT security
• Combine and link security initiatives with the organizations other goals, targets and values• Focus on initiatives with management attention• Focus on commercial value and the opportunity
for the business
• Formalized process for risk management and implementation of security
• Mapping of risk management with clear key performance indicator (KPI)
• Link risk initiatives with business goals• Avoid operational KPI’s in management
communication • Management communication should focus on what
works and what needs fixing
Emphasize the company values
Opportunity for audit of processes
Live up to external compliance requirements
Fulfill industry standard
promotion desired internal behavior
Protect sensitive data from loss
Protect against errors etc.
IT Security –Commercial drivers
Commercial values
• Lost productivity – indirect consequences – lost customers , lost sales, lost credibility, lost competitiveness)
• Legal consequences (Missing compliance of contract and legislation etc.)
• SLA compliance towards suppliers and customers.
• Internal compliance requirement• “Persondataloven”• Regulatory compliance PCI DSS• EU Data Protection Directive• Competitive compliance
Standards- COBIT, ISO27002
• Business expansion• Additional sales channels, better
customer service and retention• New customer segment and
increased turnover, cheaper delivery, better competitive
situation and reaction• Supporting branding
• Cost reduction– improved business processes
• Avoid costs – scalability• Use of existing resources
• Efficiency– new and improved processes, few resources
Value: Risk Management Value: Business enabling
Value: Maintain Compliance Value: Cost optimization
Minimizing and optimizing risk
• Security is always a question of prioritization• Does is payback to invest in more security?• Decisions must be based on a risk evaluation
• The objective is to optimize risk – not minimizing it• Well-founded selection of precautionary
measures• Well-founded de-selection of precautionary
measures
Optimizing RiskMinimizing riskArmor glass in windowsArmor in i ceiling and wallsBarbed wire fenceActive fire extinguishingGuardsCCTV surveillancePanicroom…
Lock all doors and windowsFire- and smoke alarmFire extinguisherBurglar alarm
• Transparency and defensibility of risky decisions are more critical than ever. Risk must be measured and addressed as part of the business process. All managers and leaders need basic skills in risk management.
• Risk management is an investment decision tool. Eliminating all risk is not possible or desirable. Risk treatment options include mitigation, contingency planning, transfer and acceptance.
• Risk and the accountability for risk are, and should be, owned by the business units creating and managing those risks.
• Risk management is an ongoing effort. Risk assessments are valid for a point in time, because risk factors evolve over time. Risk management must be baked into the thinking of decision makers and into the governance of the enterprise.
• Risk decisions are more complex and impactful than in the past. With instant communication and processes, organizations must act quickly and knowledgeably to threats and opportunities. Continuous monitoring and reporting of risk are becoming critical business processes.
The 2011 Gartner Scenario: Current States and Future Directions of the IT Industry
The New Realities of Risk Management
Information Security Management System (ISMS)
• Framework for establishment of process to risk management and IT Security
• Ensure formalized process working with security
• Process for setting-up controls that der reduces risk
SANS 20 Critical Controls
• Focus on simple controls with large effect
• Each control has guidelines for implementation and how to follow-up
• Specific made for US government agencies, but can be applied in general
• Guidelines for focusing spending's on key controls
• Focus on automation and measurement
List Of Critical Controls
1 Inventory of Authorized and Unauthorized Devices
2 Inventory of Authorized and Unauthorized Software
3 Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5 Boundary Defense
6 Maintenance, Monitoring, and Analysis of Security Audit Logs
7 Application Software Security
8 Controlled Use of Administrative Privileges
9 Controlled Access Based on the Need to Know
10 Continuous Vulnerability Assessment and Remediation
11 Account Monitoring and Control
12 Malware Defenses
13 Limitation and Control of Network Ports, Protocols, and Services
14 Wireless Device Control
15 Data Loss Prevention
16 Secure Network Engineering
17 Penetration Tests and Red Team Exercises
18 Incident Response Capability
19 Data Recovery Capability
20 Security Skills Assessment and Appropriate Training to Fill Gaps
http://www.sans.org/critical-security-controls/
Measure, plan and implement
• Perform a risk assessment and a GAP-analysis• What has value for us, what is the risk and where are the problems?• Compare to best practice, for instance SANS Top 20 Critical Controls
• Focus on the potential gaps in security level• For each improvement, document the change in security level• Make the prioritization a management decision• Focus on the improvements providing the fastest results
• Draw up a long term strategic plan• Prioritize projects by cost and value for the organization • Use risk assessment to address lacking management or budget support
• Make sure to report on the changes and progress
1 2 3 4 5 6 7Gap
Project 1 Project 2
Security breach - humans
• Ignorance• Internal users do not know/understand the security policy• Lacking understanding of the consequences of own actions• Lacking understanding of elementary “safe” IT handling
• Carelessness• Internal users know the security policy but do not care• Lacking consideration – “nothing will happen anyway”
• Disregarding the security policy• Attempt to make the working day easier• Copying and leaking of confidential data• Setting up once own local wireless network
• Malicious• Discontented employee on purpose• Personal economic profit – crime and fraud• Personal ego and gratification
IT SECURITY
PHYSICALSECURITY
HUMAN
IT Security and human resource management
• Users wish flexibility, mobile devices and social media
• The security policy must support these demands otherwise will the users violate the security policy
• A security policy supporting the user demands can improve employee satisfaction and productivity
• Remember end-user awareness training!
Q. Does your company have an IT policy outlining acceptable uses of company resources such as personal computers, cellular telephones, and smartphones?
Yes No Don’t know
End user
CIO/CSO
Kilde: The Cisco Connected World Report 2010
53% 23% 24%
82% 18%
"Security is not a product, it's a process“
Bruce Schneier
Conclusion
• Organization and management• IT is the business – so involve it• IT security is a business enabler• Risk management is the focal point
• Technical • Formalized process for security management• Defense in depth is still important• Security Management is a requirement
Top 12 forudsigelser for 2012
Hændelse med alvorlig kompromittering af større Cloud leverandør – sikkerhed bliver en prioritet. Cloud anvendes til angrebCloudFortsat kompromittering af kommercielle CA’er og tyveri af certifikater – hvad og hvem kan man stole på? Angreb mod selve SSL protokollenSSLAPT / Spear Phishing angreb vil fortsætte, modnes og automatiseres mod almindelige virksomheder og brugereAPTNy teknologi, nye sårbarheder – angreb specifikt rettet mod multimedie funktionerHTML5Enabler for private Cloud. Flere hypervisorer. Specifikke angreb rettet mod virtuelle miljøer – forsøg på at udnytte hypervisior sårbarhederVirtualiseringFalsk konkurrencer og reklamer, hacking af personlige oplysninger, specifikke angreb mod særligt Facebook tvinger dem til at forbedre sikkerheden for deres brugereFacebookFortsatte politisk motiverede angreb mod regeringer og andre som anonymous o.lign. grupper ser sig sure påHacktivistsFokus på sikkerhed i Apps, Kriminelle vil søge at placerer malware i AppStores, mange angreb fremtvinger forbedret sikkerhed i Android MarkedAppsMalware/worms mod SmartPhones, første eksempler på malware der rammer Apple iOS enheder, locationaware malware, mindre BotNet pga. effektive juriske aktionerMalware“Bring your own device” betyder også “Bring and clean your own infections”, stigendeantal sager pga. mistede enheder med kritiske dataBYODDDoS angreb bliver billigere, hacktivists vil fortsætte deres angreb, DDoS mod kritisk infrastruktur og DDoS angreb som del af afpresningDDoSEksempler på Cyberwar, Første angreb mod kritisk infrastruktur SCADA
Risk management
• Risk can not be eliminated, only limited
• You can not buy security as a product
• Security is achieved by combining• Process, procedures and management• Design, tools and technical solutions• Continuous monitoring and maintenance
• Result: Formulation of a security policy and implementing a security system
Dubex forårsseminarer
IDENTITY MANAGEMENT & ACCESS MANAGEMENT
PERIMETER-SIKKERHED
SIKKERHED OG VIRTUALISERING
OPTIMERING & TILGÆNGELIGHED
DATA BESKYTTELSE – DLP
CHECK POINT UPDATE
MOBILITY
Læs mere på www.dubex.dk
Program - 360° it-sikkerhed
JuniMarts April Maj
Torsdag 8. marts 2012IDENTITY & ACCESS MANAGEMENT
Torsdag 29. marts 2012SIKKERHED OG VIRTUALISERING
Mandag 14. maj 2012DATA BESKYTTELSE –DLP
Onsdag 21. marts 2012 i København & Torsdag 22. marts 2012 i Århus
Mandag 30. april 2012OPTIMERING & TILGÆNGELIGHED
Tirsdag 22. maj 2012 i København & onsdag 23. maj 2012 i ÅrhusCHECK POINT UPDATE
Mere information og tilmelding på www.dubex.dkNB. Vi forbeholder os ret til ændringer
Torsdag 7. juni 2012MOBILITY
Thank youFor more information please contactJacob Herbst, [email protected]