Creating an Effective Security and Risk Management Culture

Superheroes are not here to prevent things from happening—we can't afford to be drawn to a superhero model with respect to security and risk management. The alternative is to have a mandate from the top and to earn the trust of the organisation as a whole.

The head of security must be:

• Never considered an obstacle
  
• Consulted by business
  
• Someone who listens
  
• Knows how the company makes money
  

Even better:

• Considered an added value
  
• Advice is sought out
  
• Board/CEO reads report
  
• Integral to IT planning
  

Must understand constraints on activity:

• Regulations: External/Internal [effectiveness of rules is a function of organizational culture]
  
• Cultural Proclivity [effectiveness of rules is a function of organizational culture]
  
• Market Forces [if it affects the bottom line, it will automatically become a priority]
  
• Technical Possibilities [functions in spite of control subject]
  

How many security officers does it take to make an enterprise secure? Just one… …but the enterprise must want to be secure. Awareness, Willingness, Ability. This is the natural logical progression as we bring up security awareness.

Can we come up with a form with the service catalog and get numbers for the level of confidentiality, integrity and availability they need for each of those systems? Need to make sure that data owners assess their own data criticality. Data owners explicitly accept associated risks.

Key message is that business owners own the risk, not us. They might delegate to us the actions to reduce risk, but we don't own the risk for them. Work with business owners to determine risks, and make sure they understand the residual risk that remains after we have performed agreed actions.

Sales Pitches

I have blogged something about some of the cendors at the conference, ut put it on my Sharepoint blog for the sake of security...
http://cis-netsps03.lancs.ac.uk:28921/personal/meikle/Blog/default.aspx

The Future of Database Security

Hmmm… Too much that is relevant here, so my comments going into e-mail. Drop me a line if you want to know what my thoughts were.

The Identity and Access Management Scenario

Note: there is a separate Identity and Access Management Summit.

A set of processes and technologies to manage:

• Users' digital identities
  
• The relationship to civil identity
  
• Users' access to systems and the information they contain
  

Identity: user lifecycle management. Access model: role life cycle management. Identity lifecycle consumes roles from access model. Workflow that passes roles to user lifecycle has a lifecycle itself. All this is done to reduce risk (how does the security framework affect the workflows).

Security efficiency; security effectiveness; business enablement.

Interesting that, when talking about the value of IAM, the first thing the speaker mentioned was attracting and retaining customers—that is exactly what we're doing when we use UIM to help with PGA.

Value:

• Attract and retain customers
  
• Improve critical business processes and workflows
  
• Maximise performance and profitability
  

IAM Program Maturity

Non-existent	Initial	Developing	Defined	Managed	Optimizing
4%	10%	40%	28%	15%	4%

 

Does indicate the importance of process definition before applying IAM to that process. We need to work out what process definition we need to do for students during the registration process (and during the application process) to give them the access they need.

Controlling Unauthorized Network Access in a Large Organization

Deploying NAC at Nottingham City Council, with Sophos. Chose Sophos because they already had their AV. Interesting that yesterday, we were encouraged to push back on the cost of AV, and threaten to pull out our existing AV if we don't get a cut in price.

Very little detail in this presentation. Does remind me that NAC is not an enforcement technology. The questions from the audience reflect the issues of NAC for: a variety of roles (visitors, parent companies etc); multiple platforms (LINUX and Mac not supported by Sophos).

Protecting Business in a Web 2.0 World

Signature approach to malware is running out of steam, so what should replace that paradigm? Massive increase in the number of unique samples of malware. There are programs now that generate malware (so there are many variants).

Mmmm. This has turned into a brief history of SaaS and a sales pitch for security SaaS…

Managing Legacy Content to Decrease IT Costs and Reduce Business Risks

If our default, as we look at our e-mail is "I'll keep it just in case." Keeping everything is expensive and most of what we keep we don't need to. Data storage needs are going up about 50% per year (without taking into account pictures, audio and video). No one has responsibility for information retention management. How do we manage the costs of undisciplined data retention. Retention schedules cannot be implemented (because no one has the responsibility).

Suggestions:

• Give legal training to IT people so that they can argue with the lawyers over what can be thrown away
  
• Hire data archivists (directly, not as consultants)—who can make decisions about what to save and what to keep
  

Information value degrades over time—rarely does it maintain value. After the first month of e-mail archiving, archives are rarely hit. There are certain things that you should keep—but it is the exception, not the rule.

Five Myths about Rising Storage Demand:

1. It can be offset by better technology
   
2. It can be offset by paying less
   
3. It can be offset with more storage tiers
   
4. It can be satisfied with more tape
   
5. It can be accommodated with archiving software
   

Determine TCO for storage and react.

Use automated methods to determine what files can be thrown away. Determine a set of rules that can help build a list of what could be thrown away.

How does this stuff affect us? For students, I assume that people's home directories aren't kept in perpetuity. For their submissions, how long do they need to be kept—do we want to keep them forever? For e-mail, for staff H: drives, we need to work out what can be stored forever and what can't. What's worse: not giving people lots of central storage so that things get lost on C: drives, or giving them lots of central storage and having capacity requirements go up and up…?

Latest Trends in Computer Hacking

This presentation is given by Jess Garcia, of SANS.

Hacking activities have changed over the last three years or so.

• Dec-07—Sophiticated Trojan loots business bank accounts.
  
• Jan-08—Bank Trojan charges for sex, breaks two factor authentication.
  

Botnets are being used differently now—they are the basis for more than just Denial of service attacks.

Hackers now attacking the security software itself and then obfuscate what has happened.

Another reason why we should patch immediately—85% of the time now, there are exploits released the same day as patches for vulnerabilities. That's up from 18% in 2004. No longer are the attackers teenager computer experts, now they are professional cyber-criminals (hired by criminal gangs—or, if they are teenagers, they have been kidnapped by the gangs and threatened). Rather than being motivated by prestige and curiosity, they are motivated by money.

Top Threats 2008:

• Client side: Browser Plugin Attacks
  
• Web Apps (51% of all vulnerabilities): SQL Injection and cross-site scripting
  
• Virtualization—this seems to be a growing area
  
• Malware
  
  • Trojan Bankers
    
  • Botnets
    

Haydan is a tool that can be used to create payload with the desired MD5 hash… so much harder to trust hashes.

Malice, Misuse or Mistake: Getting to the "root" of the problem

This presentation seemed to suffer the same issue that I saw in vendor presentations in Barcelona—everything seemed to revolve around selling rather than imparting information—the speaker's motivation was different. Little to say really other than we should try to follow the principle of least privilege—but nothing about how much harder that might be as we try to breakdown data silos and provide new views on data across multiple databases—no strategies for managing those new problems… ah well.

Security of Big Applications, Legacies, Databases and Vendors

There is a key need for: Dynamic Analysis Security Testing and Static Analysis Security Testing. They will help us to ensure that the applications we buy or develop are secure. I had my 1-on-1 with the speaker at lunchtime. He suggests that we should be asking vendors what kinds of analysis they have performed on their code. We should expect that the applications we use in conjunction with code development are deeply integrated with Visual Studio.

There is a growing body of threats to database applications, via their web interfaces. We should look at data obfuscation technologies to help us with testing and if we have vendors asking us to send them databases for debugging (something we won't do now). Vendors: Applimation, DCR, Compuware, Camouflage, IBM, Oracle.

"Legacy application is any application that really works." i.e., as soon as an application goes live, it is legacy. As soon as we take our eye off the ball, we're not working on an application, it becomes legacy. Legacy understanding is key to legacy security. Use dynamic and static analysis to collect information on legacy, and determine what needs to be done to secure our legacy systems.

Consider a quadrant picture with two axes: application business value against application technical quality.

Increasing Application technical quality	Tolerate (Re-evaluate/reposition)	Integrate (maintain/evolve)
	Eliminate (Retire/Consolidate)	Migrate (Modernize/re-engineer)
	Application business value -> (successful attack, is low harm)	Increasing (successful attack is high harm

 

Open Source SAST and DAST technologies are being used by hackers to determine vulnerabilities in applications. They can then use the vulnerabilities that they find to hack those applications. We need to ensure we understand what the hackers understand about our applications.

We should be using tools through all phases of application development to ensure we develop secure applications. Need to look at the speaker's Gartner publications for more direction.

DNS

Spent some time over lunch talking to DNS. We discussed Self-Service Password Reset (SSPR). They indicated the following:

1. If you get password convergence, the use of SSPR reduces, as people have only one password to remember
   
2. People feel a stronger ownership of their password when they have only one (it is their password, not the Windows password or the e-mail password or VLE password). That stronger ownership leads to them keeping their password more secure.
   
3. When there is password convergence, people are less likely to share their password, as that password gives access to their e-mail.
   
4. They have implemented SSPR but use up to twelve questions to identify someone, and let the end-user determine the questions that they would be asked. They do not recommend we try that in the university as they would probably go with "Q1", "Q2" for the questions and "yes" for all the answers.

The Mark One Human Being

Recent security breaches:

• Nationwide fined £980,000 for stolen laptop.
  
• HMRC lost two CDs of child support data
  
• Bank customer data sold on eBay
  
• Secret terror file left on train
  
• Royal Navy laptop stolen with 600,000 people's details…
  

66% of companies increased IT security spending in 2007, but still these events continue.

40% provide ongoing security awareness training to staff—i.e. 60% do not.

If we don't teach people what they need to know about security, we will not be able to make the university's data more secure. We need to make security education and awareness a key part of our information security strategy. It is not enough to tell people that security is their responsibility. Consider how we market information security awareness to ensure that the message gets across.

Once the communication is out, measure whether there is a change in behaviour. Policy compliance, and survey results are used to inform the following year's approach.

If we put the technology in place, but do not market and communicate the programme, so that individuals understand and fulfil their responsibilities, the investments wwe make will be worthless and security breaches will happen—meanwhile our support for investment in security will wane.

Conference Opening and Building a Real-Time Adaptive Security Infrastructure

Speakers: Jay Heiser; Tom Scholtz; Neil MacDonald.

Coming up later this week:

• Ross Anderson—professor of Security Engineering, University of Cambridge Computer Laboratory--speaks tomorrow and has written a book called "Security Engineering".
  
• Peter Hustinx, European Data Protection Supervisor—strategic issues for data protection in Europe.
  
• Best practice workshops: SANS; ISACA.
  

Adaptive Security Infrastructure; Neil MacDonald discussing how information security must become adaptive. Adaptive to changing threats and to changing business needs. At the moment, information security is not keeping up; too many point products, with too much complexity; products are too expensive and vendors are not investing enough. Network, endpoint, application and content security all separate and don't talk to each other. We need to switch from "zero risk" to "managed risk".

Implications for security as we virtualize hardware, operating system and applications; data from applications is abstracted through web services. Then there are portable personalities, EC2 (Amazon) etc etc...

The current model is flawed: there is no "us" and "them". Every device, every packet, all content, every user is a risk. Implication is that the notion of the "perimeter" is less important; security and trust are no longer binary; we need to think about the "relative trustability". Rather than just one "perimeter" there will be multiple. Look to survival of the system: protect workloads and information, not endpoints.

At the bottom, firewalls, application control. In the middle, anti-virus, anti spam, URL filtering. At the top, looking at behaviour. The layers communicate with each other.

Service Mark-up Language is going to be used to build security models (amongst other things) at the point that applications are written (will be announced by Microsoft at TechEd as project "Oslo"). Seems like the next generation of Dynamic Systems Initiative. The model describes the role(s) that should be able to perform particular functions within the application.

Mobility and Security Management Cycle

Security requires management, management requires security.

Cycle: Manage-Secure-Defend-Budget-Specify-Configure

• How does mobility affect the challenge of management and security?
  
• What are the key implementation decisions to security and management?
  

Management becomes more difficult when personal devices must be managed and secured (makes me think of devices bought by departments and faculties.

Platforms each require infrastructure for security and management: Blackberry, Windows Mobile, PC, personal PC, Nokia… But if we restrict platform support, people forward mail from managed device to personal account—then what happens to the security?

Recommendations: apply security policy at the point that a device is provisioned. Change management should check whether the device is within compliance. As issues are solved, move them out of the responsibilities of the security group—those problems are solved, and the security group needs to look constantly to the future. Network access control; VPN; patch management; local data encryption; port/peripheral usage control; firewall; anti-spyware; anti-virus. For us, many of these things are rightly handled by "operations"—but maybe we need to look to the others.

• What are the inherent weaknesses of the device?
  
• What default measures will strengthen device security?
  
• What exposures are caused by the way the device is used?
  
• What security measures and user practices will reduce exposure?
  
• Can the device configuration be monitored or controlled?
  
• Will good management reduce operations and support costs as well as improve security?
  

Consider that all the above questions need to be asked for each type of device that we use…

We may be at odds with users' requirements to ensure security. It is interesting that the speaker says that we don't have time to evaluate windows updates before we apply them—we should just accept the risk of deploying straight away. Not worth using EFS unless you follow best practices—otherwise it is too easy to break. Encryption and strong authentication much better than remote lockdown/erase for mobile devices.

Securing wifi is to be a big problem moving forward—too many different kinds of devices.

• Trusted devices: corporate-issued, fully controlled (ISS managed PCs)
  
• Tolerated device: limited to safe interactions
  
• Unwanted devices: uncontrolled, unmanaged
  

Speaker used this grid to show that there is a landscape of issues, and that we must look to converge on solutions that cover multiple areas of the grid—though there are different strategies for doing that. I think that we would benefit from looking to build a list of devices appropriate to the institution and determine how we are approaching the different areas of concern versus how we ought to approach them.

	Encryption	lock/ wipe	backup/ restore	Inventory & audit	patch update	software distribution	anti-malware	VPN	user Auth
Company Desktop
Company notebook
Windows Mobile
Contractor PC
Employee notebook
Portable personality
iPhone
Blackberry

 

 

Introduction

I am attending Gartner's Security Summit in London at the Royal Lancaster Hotel. This blog will contain my notes from the various sessions I will attend.

The first session is early on Monday morning--the music is the same as at the last Gartner event I attended--May in Barcelona... Look forward to my session notes.