riskandcompliancerisk and compliance · iso/iec 27006 — requirements for bodies providing audit...
TRANSCRIPT
People First,Performance Now
Ministry of Science,Technology and Innovation
Risk and ComplianceRisk and ComplianceMark Hofman
SANS Institute/Shearwater Solutions
06 November 2012
People First,Performance Now
Ministry of Science,Technology and Innovation
Agenda• The risks we face
– How are we compromisedo a e e co p o sed• The standards we face• Why do they fail?• Why do they fail?• How can they work?• What else is there?
Compliance != SecuritySecurity != ComplianceSecurity != Compliance
People First,Performance Now
Ministry of Science,Technology and Innovation
The risks we face• Key loggers• Weak or stolen CredentialsWeak or stolen Credentials• Data Exfiltration
B t F Att k• Brute Force Attacks• Backdoors• Tampering• Social engineeringSocial engineering• Phishing http://xkcd.com/795/
People First,Performance Now
Ministry of Science,Technology and Innovation
The risks we face• Extortion• DOS/DDOSDOS/DDOS• SQLi
N C li• Internal Challenges
Comple s stems• Non Compliance with standards
– Complex systems– Unknown Systems
O ti l– Operational ChallengesR i– Resourcing
People First,Performance Now
Ministry of Science,Technology and Innovation
How are we compromised?1. Spear Phishing email
– Based on google, facebook, linkedin or other social media and public information
2. Lateral movement3. Consolidation within target environment4 Identify and4. Identify and
exfiltrate data
People First,Performance Now
Ministry of Science,Technology and Innovation
How are we compromised?1. Internet facing server compromise2 Lateral movement2. Lateral movement3. Consolidation within target environment4 Id tif d filt t d t4. Identify and exfiltrate data
Where do Standards fit?Where do Standards fit?
People First,Performance Now
Ministry of Science,Technology and Innovation
The Standards we face• Standards
– ISO 27000 seriesSO 000 se es– PCI DSS– SOX/JSOXSOX/JSOX– COBIT– ITIL– ITIL– etc..
http://xkcd.com/927
People First,Performance Now
Ministry of Science,Technology and Innovation
27000 SeriesISO/IEC 27001 — Information security management systems — RequirementsISO/IEC 27002 — Code of practice for information security managementISO/IEC 27003 — Information security management system implementation guidanceISO/IEC 27004 — Information security management — MeasurementISO/IEC 27005 — Information security risk managementISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systemsISO/IEC 27010 — Information technology -- Security techniques -- Information security management for inter-sector and inter organizational communicationsISO/IEC 27011 — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002ISO/IEC 27031 — Guidelines for information and communications technology readiness for business continuityISO/IEC 27033-1 — Network security overview and conceptsISO/IEC 27033 1 Network security overview and conceptsISO/IEC 27035 — Security incident managementISO 27799 — Information security management in health using ISO/IEC 27002ISO/IEC 27007 — Guidelines for information security management systems auditing (focused on the management system)ISO/IEC 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)ISO/IEC 27013 — Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001ISO/IEC 27014 — Information security governance frameworkISO/IEC 27015 — Information security management guidelines for the finance and insurance sectorsISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on the Internet)ISO/IEC 27033 — IT network security, a multi-part standard based on ISO/IEC 18028:2006 (part 1 is published already)ISO/IEC 27034 — Guideline for application securityISO/IEC 27036 G id li f it f t iISO/IEC 27036 — Guidelines for security of outsourcingISO/IEC 27037 — Guidelines for identification, collection and/or acquisition and preservation of digital evidence
People First,Performance Now
Ministry of Science,Technology and Innovation
27001ISO/IEC 27001Information security management systemsy g y
– Risk Based Standard (Yours)– High Level
Plan
– Can certify against the standard– Has some required documents
• Security policy BCP Incident Response Plan and more
DoActAct
• Security policy, BCP, Incident Response Plan and more
– Shades of grey are ok Check
People First,Performance Now
Ministry of Science,Technology and Innovation
PCI DSS
PCI P2PEPCI P2PE PCI PCI PCI PCI PCI PCI PCI P2PEPCI P2PE PTSPTS PA-DSSPA-DSS DSSDSS
• Risk Based Standard (payment brands)• Prescriptive• Black and white
People First,Performance Now
Ministry of Science,Technology and Innovation
SOX/COBIT/COSO/ITILRi k B d St d d ( )• Risk Based Standards (Not necessarily yours)
• Management frameworks
GovernmentGovernment• FISMA (USA)• Information Security Manual (AU)
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
Why do they fail to protect?• ISO 27001
– Focus is on the management processocus s o e a age e p ocess– Risks often not correctly identified– Not integrated into normal processesNot integrated into normal processes– Seen as a hindrance
People First,Performance Now
Ministry of Science,Technology and Innovation
Why do they fail to protect?• PCI DSS
– Can be resource intensiveCa be esou ce e s e– Not integrated into normal processes– Ignores risks not specifically addressed byIgnores risks not specifically addressed by
PCI DSS
– Segmentation– Not using controlsNot using controls
to best advantage
People First,Performance Now
Ministry of Science,Technology and Innovation
Why do they not work?Tick Approach
Addressing the standard not the basic security requirementsthe basic security requirements
Not addressing real risks
Prioritization
People First,Performance Now
Ministry of Science,Technology and Innovation
How can they work?• If you have to comply, make the standard
work for you.y• The Security team(s) need to embrace the
standard(s)• Operational teams need to embrace the
standard(s)• Internal Audit teams need to work with the other• Internal Audit teams need to work with the other
teams to make the standards work• Management needs to ask what can we get out of
it?
People First,Performance Now
Ministry of Science,Technology and Innovation
How can they work?• Make sure processes fit with the
organisationg
• KISS Principle (not too much red tape)• KISS Principle (not too much red tape)
• Assess risks regularly
People First,Performance Now
Ministry of Science,Technology and Innovation
How can they work?• Get the basics correct
– Know what you are protectingo a you a e p o ec g– Know your systems and network
Assess
• AutomatessessRisks
Select C l
Monitor & RMonitor
& R Controls
Implement
& Report& Report
Implement Controls
People First,Performance Now
Ministry of Science,Technology and Innovation
What else is there?• 20 Critical Controls
http://www.sans.org/critical-security-controls/
• DSD 35 mitigating controls• Application Whitelisting• Application Whitelisting• Patch Applications• Patch Operating Systems
www.dsd.gov.au
Patch Operating Systems• Reduce privileged access
People First,Performance Now
Ministry of Science,Technology and Innovation
Questions ?Questions ?
[email protected]@gmail.com