Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September.

Information Security– SNO InternationalZanzibar, Tanzania

Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management23 September 2014

Presentation Topics

• SNO –Security Survey Results• Leadership Support• Security Organizational Structure• Security Incident Flow• Security Best Practice

2

SNO - Security Survey

3

Is your Security Information Program supported by your executive leadership?

Has your company completed a Business Impact Analysis (BIA) as it relates to the Risk/vulnerability potential associated with a security incident?

Is there an established Security Incident Reporting process in your organization?

Would you say your company has effective security controls in place? ( Administrative, Technical, Physical)

What are your top challenges related to security?

Does your company have an effective Configuration Management/Change Control Process in place to track changes, system owners, and configuration information?

Does your company have established Business Continuity and Disaster Recovery Programs?

What area of your organization would be most beneficial for this team to focus on "Best Practice" recommendations?

How do I gain leadership Support?

12

Information Security Management

• Protecting the assets of the organization through the implementation of physical, administrative, managerial, technical and operational controls.

• Organizations are competing in a global marketplace which is governed by laws and best practices such as i.e., NIST,ITIL,ISO2700, HIPAA,FISMA,COSO, and COBIT…

• Failure to protect information assets from loss, destruction, or unexpected alteration can result in significant losses of productivity, reputation or financial loss.

Information and the systems supporting the mission of the organization are assets which must be protected

13

Gaining Leadership SupportBusiness Continuity & Disaster Recovery Planning

• Leaders have 2 main goals– To execute the mission of the company– To protect the organization

• Security’s Primary goal is To Protect the Organization• Risks associated without a sound plan in place

– Financial Loss– Loss of Reputation / Customer Confidence– Regulatory Fines/Penalties/Lawsuits

Effective security management requires judgment based on the Risk Tolerance of the organization, the Cost to Implement

the security controls and the Benefit to the organization.

14

Risk Assessment

15

Risk Assessment & the Business Impact Analysis

• Must be effective communicating Risk and the possible security solutions• Sr. Management has the final decision on implementing specific security

controls• There will always be Residual Risk. The goal is to minimize risk to a level

that fits with the companies Risk Tolerance

16

Security and Risk Management Relationship

Enterprise Information Security and IT Compliance

Information Security Applications and

Services

IT Policy and Compliance

Vulnerability and Risk Management

Identity Management and Information

Security

• Enterprise Identity Management Program

• Security Program Management

• Project Management• Security Architecture

Access Management

• Identity Management• Access & Authentication

Management• Identity Controls

Cyber Incident Response & Forensics/eDiscovery

• Vulnerability Management• Application Security• Project & 3rd Party Risk Reviews

• Policy Governance• Remediation Planning,

Management & Reporting• Security Awareness Program• IT Compliance, Audits &

Assessments (SOX, PCI, HIPAA/HITECH, etc.)

• Security Event Monitoring• Antivirus / Spyware• Data Leakage Prevention• File Integrity Management• Security Infrastructure Tools

System, Application and Network Security Event Logs

• Cyber Incident Response• IT Security Investigations• Forensic and e-Discovery/Legal

• Data Privacy, Loss, Control• Data Inventory and

Classification• Planning, Design • Penetration Testing

• Ethical Hackers

17

Incident Management

18

Phases of a Cyber Incident - Preparation

19

7x24x365

CDC - First Tier Support

CSIRT – Second Tier

Training

GCIH, CISSP, CISA, CEH, EnCE

Playbooks

Exercises

Tools

Arbor DDOS

Intrusion Detection (NIDS)

Network Packet Capture

Security Event Management

Sample Event Flow: Cyber Incident - Detect

20

Receive Notice of Possible Cyber

Attack

Cyber Incident Response Plan Activated >Cyber Emergency Response Team

Determine Cyber Attack Exists

EIS to Investigate and Determine if CERT Activation is

Required

If Needed, CERT is Activated

CERT to Determine if

ECERT Activation is Required

If Needed, ECERT is Activated

CDC(Tier 1)

Alerts from Security Tools

(AV, Arbor, IDS, etc.)

Phone Call, Remedy,

E-mail Notifications*

Help Desk Escalations

CERT(Tier 2)

Threat Analysis Escalations

Communication

Escalations

* 50,000+ wallet size emergency contact lists are being distributed to TWC employees

• Analysis• Incident Management• Severities: High, Critical• Escalation to ECERT

• Analysis• 1st level Triage • Severities: Low, Medium• Escalation To CSIRT

1st Level Triage

Event Flow: Cyber Incident - Contain

CDCIncident

Management

CERT

3rd Party Vendors

Operational TeamsHelp Desks

Owners of Attacking Address

21

Receive Notice of Possible Cyber

Attack

Cyber Incident Response Plan Activated >Cyber Emergency Response Team

Determine Cyber Attack Exists

EIS to Investigate and Determine if CERT Activation is

Required

If Needed, CERT is Activated

CERT to Determine if

ECERT Activation is Required

If Needed, ECERT is Activated

CERT:• Business Decisions• Legal Breach Notification• Public Relations

CDC:• Containment->Eradication->Recovery• Incident Management with Technical

Teams• Technical Communications

22

Cyber Incident – Post MortemLe

sson

s Le

arne

d

Which CSCs helped or would have helped?

Exactly what happened and when?

How well did staff and management perform?

How could information sharing have been improved?

What additional tools or resources are needed to detect and block future incidents?

Reco

mm

enda

tions

Tools, resources, procedures needed?

What CSCs should be more fully implemented?

ESD – Asset Inventory Updates

Knowledge base updates

Communication improvements

Security Best PracticesTop 10

23

Security Best Practices

• Encrypt your data: Stored data, file systems, and across-the-wire transfers all need to be encrypted. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.

• Use digital certificates to sign all of your sites: Save your certificates to hardware devices such as routers or load balancers and not on the web server as is traditionally done. Obtain your certificates from one of the trusted authorities.

• Implement DLP and auditing: Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data out of your network.

• Implement a removable media policy: Restrict the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media. These devices facilitate security breaches coming into or leaving your network.

24

Secure websites against MITM and malware infections

• Secure websites against MITM and malware infections: Use SSL, scan your website daily for malware, set the Secure flag for all session cookies, use SSL certificates with Extended Validation.

• Use a spam filter on email servers: Use a time-tested spam filter to remove unwanted email from entering your users' inboxes and junk folders. Teach your users how to identify junk mail even if it's from a trusted source.

• Use a comprehensive endpoint security solution: Use a multi-layered product to prevent malware infections on user devices. Antivirus software alone is not enough. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection.

25

Network-based security hardware and software

• Network-based security hardware and software: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches.

• Maintain security patches: Some antivirus programs update on what seems like a daily basis. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches. If you turn off automatic updating, set up a regular scan and remediate plan for your systems.

• Educate your users: It might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Implement strict password policies.

26

Questions?

27