People First,Performance Now

Ministry of Science,Technology and Innovation

Risk and ComplianceRisk and ComplianceMark Hofman

SANS Institute/Shearwater Solutions

06 November 2012

People First,Performance Now

Ministry of Science,Technology and Innovation

Agenda• The risks we face

– How are we compromisedo a e e co p o sed• The standards we face• Why do they fail?• Why do they fail?• How can they work?• What else is there?

Compliance != SecuritySecurity != ComplianceSecurity != Compliance

People First,Performance Now

Ministry of Science,Technology and Innovation

The risks we face• Key loggers• Weak or stolen CredentialsWeak or stolen Credentials• Data Exfiltration

B t F Att k• Brute Force Attacks• Backdoors• Tampering• Social engineeringSocial engineering• Phishing http://xkcd.com/795/

People First,Performance Now

Ministry of Science,Technology and Innovation

The risks we face• Extortion• DOS/DDOSDOS/DDOS• SQLi

N C li• Internal Challenges

Comple s stems• Non Compliance with standards

– Complex systems– Unknown Systems

O ti l– Operational ChallengesR i– Resourcing

People First,Performance Now

Ministry of Science,Technology and Innovation

How are we compromised?1. Spear Phishing email

– Based on google, facebook, linkedin or other social media and public information

2. Lateral movement3. Consolidation within target environment4 Identify and4. Identify and

exfiltrate data

People First,Performance Now

Ministry of Science,Technology and Innovation

How are we compromised?1. Internet facing server compromise2 Lateral movement2. Lateral movement3. Consolidation within target environment4 Id tif d filt t d t4. Identify and exfiltrate data

Where do Standards fit?Where do Standards fit?

People First,Performance Now

Ministry of Science,Technology and Innovation

The Standards we face• Standards

– ISO 27000 seriesSO 000 se es– PCI DSS– SOX/JSOXSOX/JSOX– COBIT– ITIL– ITIL– etc..

http://xkcd.com/927

People First,Performance Now

Ministry of Science,Technology and Innovation

27000 SeriesISO/IEC 27001 — Information security management systems — RequirementsISO/IEC 27002 — Code of practice for information security managementISO/IEC 27003 — Information security management system implementation guidanceISO/IEC 27004 — Information security management — MeasurementISO/IEC 27005 — Information security risk managementISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systemsISO/IEC 27010 — Information technology -- Security techniques -- Information security management for inter-sector and inter organizational communicationsISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuityISO/IEC 27033-1 — Network security overview and conceptsISO/IEC 27033 1 Network security overview and conceptsISO/IEC 27035 — Security incident managementISO 27799 — Information security management in health using ISO/IEC 27002ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27014 — Information security governance frameworkISO/IEC 27015 — Information security management guidelines for the finance and insurance sectorsISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)ISO/IEC 27034 — Guideline for application securityISO/IEC 27036 G id li f it f t iISO/IEC 27036 — Guidelines for security of outsourcingISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence

People First,Performance Now

Ministry of Science,Technology and Innovation

27001ISO/IEC 27001Information security management systemsy g y

– Risk Based Standard (Yours)– High Level

Plan

– Can certify against the standard– Has some required documents

• Security policy BCP Incident Response Plan and more

DoActAct

• Security policy, BCP, Incident Response Plan and more

– Shades of grey are ok Check

People First,Performance Now

Ministry of Science,Technology and Innovation

PCI DSS

PCI P2PEPCI P2PE PCI PCI PCI PCI PCI PCI PCI P2PEPCI P2PE PTSPTS PA-DSSPA-DSS DSSDSS

• Risk Based Standard (payment brands)• Prescriptive• Black and white

People First,Performance Now

Ministry of Science,Technology and Innovation

SOX/COBIT/COSO/ITILRi k B d St d d ( )• Risk Based Standards (Not necessarily yours)

• Management frameworks

GovernmentGovernment• FISMA (USA)• Information Security Manual (AU)

People First,Performance Now

Ministry of Science,Technology and Innovation

People First,Performance Now

Ministry of Science,Technology and Innovation

Why do they fail to protect?• ISO 27001

– Focus is on the management processocus s o e a age e p ocess– Risks often not correctly identified– Not integrated into normal processesNot integrated into normal processes– Seen as a hindrance

People First,Performance Now

Ministry of Science,Technology and Innovation

Why do they fail to protect?• PCI DSS

– Can be resource intensiveCa be esou ce e s e– Not integrated into normal processes– Ignores risks not specifically addressed byIgnores risks not specifically addressed by

PCI DSS

– Segmentation– Not using controlsNot using controls

to best advantage

People First,Performance Now

Ministry of Science,Technology and Innovation

Why do they not work?Tick Approach

Addressing the standard not the basic security requirementsthe basic security requirements

Not addressing real risks

Prioritization

People First,Performance Now

Ministry of Science,Technology and Innovation

How can they work?• If you have to comply, make the standard

work for you.y• The Security team(s) need to embrace the

standard(s)• Operational teams need to embrace the

standard(s)• Internal Audit teams need to work with the other• Internal Audit teams need to work with the other

teams to make the standards work• Management needs to ask what can we get out of

it?

People First,Performance Now

Ministry of Science,Technology and Innovation

How can they work?• Make sure processes fit with the

organisationg

• KISS Principle (not too much red tape)• KISS Principle (not too much red tape)

• Assess risks regularly

People First,Performance Now

Ministry of Science,Technology and Innovation

How can they work?• Get the basics correct

– Know what you are protectingo a you a e p o ec g– Know your systems and network

Assess

• AutomatessessRisks

Select C l

Monitor & RMonitor

& R Controls

Implement

& Report& Report

Implement Controls

People First,Performance Now

Ministry of Science,Technology and Innovation

What else is there?• 20 Critical Controls

http://www.sans.org/critical-security-controls/

• DSD 35 mitigating controls• Application Whitelisting• Application Whitelisting• Patch Applications• Patch Operating Systems

www.dsd.gov.au

Patch Operating Systems• Reduce privileged access

People First,Performance Now

Ministry of Science,Technology and Innovation

Questions ?Questions ?

mhofman@shearwater.com.auMarkh.isc@gmail.com