Information Security– SNO International Zanzibar, Tanzania Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management 23 September 2014
Dec 25, 2015
Information Security– SNO InternationalZanzibar, Tanzania
Joe Beaulac, Sr. Manager – Cyber Defense Center & Risk/Vulnerability Management23 September 2014
Presentation Topics
• SNO –Security Survey Results• Leadership Support• Security Organizational Structure• Security Incident Flow• Security Best Practice
2
Has your company completed a Business Impact Analysis (BIA) as it relates to the Risk/vulnerability potential associated with a security incident?
Would you say your company has effective security controls in place? ( Administrative, Technical, Physical)
Does your company have an effective Configuration Management/Change Control Process in place to track changes, system owners, and configuration information?
What area of your organization would be most beneficial for this team to focus on "Best Practice" recommendations?
Information Security Management
• Protecting the assets of the organization through the implementation of physical, administrative, managerial, technical and operational controls.
• Organizations are competing in a global marketplace which is governed by laws and best practices such as i.e., NIST,ITIL,ISO2700, HIPAA,FISMA,COSO, and COBIT…
• Failure to protect information assets from loss, destruction, or unexpected alteration can result in significant losses of productivity, reputation or financial loss.
Information and the systems supporting the mission of the organization are assets which must be protected
13
Gaining Leadership SupportBusiness Continuity & Disaster Recovery Planning
• Leaders have 2 main goals– To execute the mission of the company– To protect the organization
• Security’s Primary goal is To Protect the Organization• Risks associated without a sound plan in place
– Financial Loss– Loss of Reputation / Customer Confidence– Regulatory Fines/Penalties/Lawsuits
Effective security management requires judgment based on the Risk Tolerance of the organization, the Cost to Implement
the security controls and the Benefit to the organization.
14
Risk Assessment & the Business Impact Analysis
• Must be effective communicating Risk and the possible security solutions• Sr. Management has the final decision on implementing specific security
controls• There will always be Residual Risk. The goal is to minimize risk to a level
that fits with the companies Risk Tolerance
16
Security and Risk Management Relationship
Enterprise Information Security and IT Compliance
Information Security Applications and
Services
IT Policy and Compliance
Vulnerability and Risk Management
Identity Management and Information
Security
• Enterprise Identity Management Program
• Security Program Management
• Project Management• Security Architecture
Access Management
• Identity Management• Access & Authentication
Management• Identity Controls
Cyber Incident Response & Forensics/eDiscovery
• Vulnerability Management• Application Security• Project & 3rd Party Risk Reviews
• Policy Governance• Remediation Planning,
Management & Reporting• Security Awareness Program• IT Compliance, Audits &
Assessments (SOX, PCI, HIPAA/HITECH, etc.)
• Security Event Monitoring• Antivirus / Spyware• Data Leakage Prevention• File Integrity Management• Security Infrastructure Tools
System, Application and Network Security Event Logs
• Cyber Incident Response• IT Security Investigations• Forensic and e-Discovery/Legal
• Data Privacy, Loss, Control• Data Inventory and
Classification• Planning, Design • Penetration Testing
• Ethical Hackers
17
Phases of a Cyber Incident - Preparation
19
7x24x365
CDC - First Tier Support
CSIRT – Second Tier
Training
GCIH, CISSP, CISA, CEH, EnCE
Playbooks
Exercises
Tools
Arbor DDOS
Intrusion Detection (NIDS)
Network Packet Capture
Security Event Management
Sample Event Flow: Cyber Incident - Detect
20
Receive Notice of Possible Cyber
Attack
Cyber Incident Response Plan Activated >Cyber Emergency Response Team
Determine Cyber Attack Exists
EIS to Investigate and Determine if CERT Activation is
Required
If Needed, CERT is Activated
CERT to Determine if
ECERT Activation is Required
If Needed, ECERT is Activated
CDC(Tier 1)
Alerts from Security Tools
(AV, Arbor, IDS, etc.)
Phone Call, Remedy,
E-mail Notifications*
Help Desk Escalations
CERT(Tier 2)
Threat Analysis Escalations
Communication
Escalations
* 50,000+ wallet size emergency contact lists are being distributed to TWC employees
• Analysis• Incident Management• Severities: High, Critical• Escalation to ECERT
• Analysis• 1st level Triage • Severities: Low, Medium• Escalation To CSIRT
1st Level Triage
Event Flow: Cyber Incident - Contain
CDCIncident
Management
CERT
3rd Party Vendors
Operational TeamsHelp Desks
Owners of Attacking Address
21
Receive Notice of Possible Cyber
Attack
Cyber Incident Response Plan Activated >Cyber Emergency Response Team
Determine Cyber Attack Exists
EIS to Investigate and Determine if CERT Activation is
Required
If Needed, CERT is Activated
CERT to Determine if
ECERT Activation is Required
If Needed, ECERT is Activated
CERT:• Business Decisions• Legal Breach Notification• Public Relations
CDC:• Containment->Eradication->Recovery• Incident Management with Technical
Teams• Technical Communications
22
Cyber Incident – Post MortemLe
sson
s Le
arne
d
Which CSCs helped or would have helped?
Exactly what happened and when?
How well did staff and management perform?
How could information sharing have been improved?
What additional tools or resources are needed to detect and block future incidents?
Reco
mm
enda
tions
Tools, resources, procedures needed?
What CSCs should be more fully implemented?
ESD – Asset Inventory Updates
Knowledge base updates
Communication improvements
Security Best Practices
• Encrypt your data: Stored data, file systems, and across-the-wire transfers all need to be encrypted. Encryption is essential to protecting sensitive data and to help prevent data loss due to theft or equipment loss.
• Use digital certificates to sign all of your sites: Save your certificates to hardware devices such as routers or load balancers and not on the web server as is traditionally done. Obtain your certificates from one of the trusted authorities.
• Implement DLP and auditing: Use data loss prevention and file auditing to monitor, alert, identify, and block the flow of data out of your network.
• Implement a removable media policy: Restrict the use of USB drives, external hard disks, thumb drives, external DVD writers, and any writeable media. These devices facilitate security breaches coming into or leaving your network.
24
Secure websites against MITM and malware infections
• Secure websites against MITM and malware infections: Use SSL, scan your website daily for malware, set the Secure flag for all session cookies, use SSL certificates with Extended Validation.
• Use a spam filter on email servers: Use a time-tested spam filter to remove unwanted email from entering your users' inboxes and junk folders. Teach your users how to identify junk mail even if it's from a trusted source.
• Use a comprehensive endpoint security solution: Use a multi-layered product to prevent malware infections on user devices. Antivirus software alone is not enough. Antivirus, personal firewall, and intrusion detection are all part of the total approach to endpoint protection.
25
Network-based security hardware and software
• Network-based security hardware and software: Use firewalls, gateway antivirus, intrusion detection devices, honey pots, and monitoring to screen for DoS attacks, virus signatures, unauthorized intrusion, port scans, and other "over the network" attacks and attempts at security breaches.
• Maintain security patches: Some antivirus programs update on what seems like a daily basis. Be sure that your software and hardware defenses stay up to date with new antimalware signatures and the latest patches. If you turn off automatic updating, set up a regular scan and remediate plan for your systems.
• Educate your users: It might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Implement strict password policies.
26