CrestCon and IISP congress – Dr Ian Levy presentation

Today I attended the CrestCon and IISP congress.  One of the keynote presentations was by Dr Ian Levy the technical director of the NCSC (National Cyber Security Centre).  This was titled ‘NCSC – WTF’.  It was a very interesting and refreshingly forthright talk, so I thought I would share it!  He covered a lot of the work and plans of the NCSC along with some of his personal thoughts.

My notes from the presentation are below, I have included various links for ease of reference, and definitely recommend reading the materials they lead to.

 National Cyber Security strategy 2016-2021

    • Basically – information sharing is not enough, get off your arse and do something about it! (his words 😉 )

NCSC;

  • Should be single government / legal point of contact you got to for anything Cyber.
  • A different sort of agency
    • Collaborate with the NCSC – Secondments for Cyber experts to work with and help the country’s cyber security

 

APTs are in the press a lot, however lets be honest;

    • Anatomy of most unprecedented, sophisticated cyber attacks;
      • Attacker does a bit of research
      • Attacker sends a spear phishing email to an admin
      • Admin opens email using admin account, exploiting unpatched stuff
      • Attacker does nefarious stuff as admin
      • Monitoring does not work
      • Attacker takes data or changes data
      • Profit

Most APT is not APT at all.  Is the focus correct? APT – less Advanced Persistent Threat – more likely Adequate Pernicious Toe-rag.. (heard this before, not sure who first coined the term..)

 

XKCD – Security tips cartoon!  Highlighting that some security advice is not always the best..

 Some general thoughts;

    • Admins must not browse the web or use email with admin account – if you still allow this, you should get a new job..
    • Have a different, complex password for each system you use – stupid advice!
    • (not)Awesome advice – Don’t open an attachment unless you trust the email.. – How do people ‘trust an email’???
      • If you own an email domain and don’t use DMARC you should be ashamed..
      • NCSC have open sourced their DMARC management solution – could we use this rather than paying for something?  They even have a dashboard that will be open source soon.
      • https://www.ncsc.gov.uk/blog-post/open-sourcing-mailcheck

 

The NCSC is trying to reduce harm by asking nicely – automatically asking ISPs and hosting providers to take down malicious sites

 

Recursive DNS is my friend.

    • Hosting their own DNS – moving all public sector organisations to using the NCSC DNS – they will automatically not provide details for known bad sites / services so unless you connect by IP you just wont get to them

 

NCSC – Active Cyber Defence programme.  This provides a great overview of many of their initiatives and how they hang together;

https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk

 

Read Understanding Uncertainty – ‘Medicine, poison, poison, poison’;

 

Goal for NCSC – From fear to published evidence and analysis

    • So you can target you security strategy and spending appropriately!

 

Keep security advice basic, brief and relevant

E.g. 5 tips for email.. 5 tips for phones etc. something like – encrypt, keep up to date, use a pin, don’t jailbreak, only install apps from google play / apple store.

 

‘Hacking back’ / Offensive security – his opinion

    • Should be reserved for government, potentially not legal for private firms.
    • Must be very organised, concerted effort.  Attribution is very hard..
    • Any private company doing this is mad, due to potential repercussions.

If you have any questions I’ll try to answer them, but I hope you have found this and the links interesting!

K

RSA shell crew investiagtion

I was recently asked to summarise and comment on the recent RSA investiagtion and published report into the the ‘shell crew’ attacks, so thought I’d share this;

The Shell Crew attacks investigated by RSA IR are a clear example of what is usually referred to APT (Advanced Persistent Threat) attacks. They were able to persist for considerable lengths of time in various enterprises, all the while covering their tracks, updating malware and backdoors.  During the time they were inside the various enterprises their aim was to exfiltrate as much data and intellectual property as possible.

They used a variety of techniques from phishing and spear phishing (extremely targeted phishing) to web application framework attacks to gain entry, and once inside used many techniques including;

–          Web shells

–          Lateral movement, making use of RDP, psexec, open network connections and job scheduling via the at command.

–          Code signing of backdoor malware so it installed without warnings

–          Utilising SETHC RDP backdoor

–          Proxy tools installed on servers to avoid corporate proxies

–          Proxy away malwae that connected out using stolen credentials

–          Falsifying time and date stamps on malicious files

Prior to the attacks there were length periods of reconnaissance of the businesses and their technical footprint.

Looking at the tools and techniques used it appears they predominantly attacked Windows based systems

The example detailed involved a hack of a web server running a vulnerable version of Adobe ColdFusion, where the vulnerability enabled directory traversal.  This enabled them to access the password file for ColdFusion, download it and crack it (likely with rainbow tables).  The next step was to download and install web shells, backdoor software and various password cracking and hashing tools onto the server.

Some take away points include;

  • Details of the exploit were      clearly captured in the web server logs – highlighting the need for      proper log correlation and alerting.
  • They logged into the web      server with the Admin password within 10 minutes of stealing the hash – 2-factor      authentication should be used for web accessible accounts where possible.       If passwords must be used, a large salt must be added to the hashes.
  • Once they were on this      server they quickly moved to control / access many other servers on the      compromised network.
  • Various ‘entrenchment      methods used to ensure their presence was hard to remove including;
    • They used various web       shells from simple one lines ones all the way to advanced ones with       trojan like capabilities. Web shells are malicious files written in web       scripting languages.  They have some benefits over trojans such as       being rarely detected by AV programs, run within the web server so blend       with other traffic and hard to block, and no need to beacon home.
    • Registering malicious       DLLs so that the commands they run were interpreted by the malicious DLL       making them harder to detect
    • Modifying the       System.Web.dll file (this is a core.net       dll) enabling specifically crafted posts to the server that without a #       at the start would just result in a 404 page
    • Installation of       custom variants of the ‘Trojan.Derusbi’ malware.  This monitors all       open TCP ports on the server for a specific simple, but pseudo random,       handshake.  When it sees one it responds with a handshake.  The       remote user can then control the trojan with various obfuscated commands.        These include file traversal, starting / stopping processes,       uploading / downloading files, time stomping (deleting or modifying time       stamp related information on files – makes forensics more challenging),       opening reverse shells, locating and decrypting passwords stored in       browsers such as IE and Firefox.
    • Sethc backdoor –       replacing the setch exe with cmd or explorer, or making a registry change       to the setch entry.  If RDP is enabled, connecting, then pressing       SHIFT 5 times will then bring up CMD, explorer, or the debugger.
  • On top of this they also      downloaded a lot of other malicious files and ‘secondary tools’ including      many variants of the Derusbi trojan, notepad.exe (actually multi purpose      malware including proxy capabilities, time stomping, user impersonation,      Run As etc.), credential loggers etc.
  • The attack appears to      target Windows Server 2003, 2003r2 and XP variants. – ensure you are      using current versions of operating systems, and that they remain fully      patched
  • Obfuscation of code for the      various malware tools was heavily used.  While it is often not      complex to manually de-obfuscate the code, this technique helps malware      avoid detection by automated tools and also means the code / scripts don’t      look like they are code to the untrained eye if an admin or someone      stumbles across them.
  • Credential capture /      logging was attempted in various ways on compromised machines in the      estate including; Hash Dumping (grabbing hashes then likely using rainbow      tables to crack them), Keystroke logging, MSGINA (MS Graphical      Identification and Authentication – key part of MS logon process) man in      the middle, and hooking into authentication functions.

Overall this is a good, in depth report that really highlights both how easily an adversary can gain access to the corporate network, and how entrenched they can become across many servers in the network once they have a foothold.

Up to date, patched systems, defence in depth, and first rate logging, correlation and alerting are key factors in prevention and quick detection of breaches.

Detection and response are becoming increasingly important in a world where you will be compromised.

K

2013 personal review and 2014 plans

Happy New Year readers 🙂

So it’s that time again, new year, new plans and all that.

Before I look ahead to my plans for 2014, how was 2013?

The educational highlight for 2013 was completing my Masters project and gaining my MSc in ‘Distributed Systems and Networks’.

I also managed to attend a few interesting conferences including Infosec, F5, and Information Security Forum.  Relevant notes from these events were uploaded to this blog throughout the year.

My education fail for the year was not getting round to taking my TOGAF exam.  This is one of those things that looks like it may be career useful, but I am not particularly passionate about.  I have completed the course and worked in environments where it is applied, so understand the framework and how to use it, however getting motivated to do the exam has failed to reach the top of my to-do list.  I’ll see how this year goes, 2014 may be the year I get round to it.

Work wise it was all change in 2013 as well with my move from Canada Life to WorldPay in January.  One of the best moves I have made, Canada Life was a pleasant place to work, but the slowest and least dynamic company I have ever been in.. Some people are very happy there, but it wasn’t for me!  WorldPay is considerably more dynamic and being a payment processor places a high value on doing things securely which makes my roles as a security architect very rewarding.

There are a lot of changes happening at WorldPay so watch this space for updates on my career and where it si heading.  One way or another I’ll definitely be staying the in the security field, and very likely architecture.

Which brings us nicely onto 2014..

From a work project perspective this year is still very much up in the air, some projects I definitely know about include;

– New SIEM solution unifying the log correlation solution across the business,

– Creating security road maps and strategy,

– A considerable amount of application security and WAF (Web Application Firewall) work,

– Implementing APT (Advanced Persistent Threat) protection and detection,

– Supporting the design and creation of a new Security Operations Centre,

– Setting up various avenues to better integrate security with the wider business so we can communicate better with stake holders and customers,

– Several other things not yet ready for disclosure but I will update on what I can throughout the year.

One of my main plans for this year is to get more involved with the business as I am pretty good at staying abreast of security and the technical side of things, but don’t always have as much involvement and awareness of the business as I perhaps could / should.

As a starter for 10, given that my last three role have been in the financial sector I have recently started reading the economist which is surprisingly interesting.  I have also picked up a couple of projects such as the one mentioned above around communicating better with the business to aid this in my current role as well wider industry awareness.

Other than that 2014 will include my graduation ceremony, some conferences, and likely some further study.  Time permitting I may also submit speaking proposals to a couple of conferences, but this is very much a maybe.

I’ll also be working to implement some more of the tips from the Productivity Ninja to aid planning and organisation.

What are your plans for the year?

Here’s to a successful 2014!

K

 

 

Security Awareness Training – Worthwhile?

One of the topics that I sometimes think about is the value of security awareness training.

This tends to be a topic that many people in the security industry seem fairly passionate about, either for or against the value of it.
Vendors of software / programs such as Wombat, PhishMe, SANS etc. are all very pro user awareness training and regular programs to raise security awareness.
Conversely companies who sell products and not training are likely to strongly advise security budget is spent on tools rather than awareness training. To renforce this point at RSA Europe last year I actually asked a couple of senior RSA guys about the value of awareness training when they did a presentation around improving security and where to spend, and was told somewhat strongly that awareness training was basically a waste of time.

So the question is who is right, or do both sides have a fair point?

On the for side – how can users be expected to act securely and know how to act securely without some training? People need to learn and understand how to spot phishing emails, why it is bad to send anything non public externally without it being encrypted, why stronga and unique passwords should be used, how to spot social engineering etc. Security awareness training and campaigns can serve a dual purpose –
– Ensure users learn more about security for both their work and home IT / online lives
– Raise general awareness – a continual program of advice and varied messages keep general security and secure methods of working on peoples minds – this should not be a once a year process.
Any increase in security awareness and reduction in the attack surface that is the human user must be a good thing right?

On the against side – what is the most effective way to spend a limited security budget? Does spending budget on training offer the sam improvement in overall security as say adding a further layer to the defence in depth strategy or hiring extra dedicated IT security personel? Even with training a significant number of users will stil click the link in a phishing email or give out details they shouldn’t to a social engineer, so you still need all the other defences, both technical and personel even if an extensive security awareness program is undertaken.
– Users will always be a large security risk, so it’s best to treat them and their actions as untrusted and create a security posture accordingly.

So which side is right? I think to a large extent they both are. Depending on which report you read, something like 60-80% of all APT (Advanced Persistent Threat) attacks are initiated via social engineering – e.g. getting a user to do something for the attacker. So the most insidious attacks that are very difficult to detect and currently being used by the security industry as the driver for selling new security tools tend to start with the user. Then surely reducing the chances someone will succumb to social engineering much be a good thing? Yes you’ll never get to 100%, but then no actual security device ever detects or prevents 100% of attacks. So why do security tool vendors not like awareness training? Likely money and profits.

A balanced approach is key, understand the environment and threat landscape your company operates in and create a holistic security program encompassing the necessary tools, skilled security personal and user awareness training.

So, how can awareness training be made as effective as possible? Along with mixed and continuous messages and taking the time to make security part of the culture, the key thing is to get the message to people and make them want to take it on board. I think there are two components to make this successful;
– Fear – not with lies or exaggeration, but highlight real stories, as especially stories that people will relate to so think Playstation and Bank / online shopping hacks.
– Make it relevant – Link the secure ways of working to peoples home lives so highlight how they can be secure online, not fall for scams, use social sites as safely as possible, shop safely etc.

To conclude my opinion is that security awareness training does add real value and should be part of any security program. It does not however replace in anyway the need for a strong defence in depth strategy aligned to your business and threat landscape. What do you think?

K

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion.  As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks.  Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around.  It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land.  I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive.  Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM.  However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with.  I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this.  Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself.  If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind.  I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data.  This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business.  So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online.  I think it was an American who coined ‘eternal vigilance is the price of freedom’  we should work to be secure, but freedom both individually and as a business is too important and hard won to give up.  Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept.  As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before.  We live in an ‘assume you have or will be breached’ world.  Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach.  Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

K

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

 

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

 

So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

 

Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

K

Cloud Security Alliance Congress Orlando 2012 pt2

CSA STAR – lessons from an early adopter – Microsoft Director of Trustworthy Computing

The Trustworthy Computing Initiative had its 10 year anniversary in 2012.  Encompasses; Security – Privacy – Reliability – Business Practices.

Managing risk at all layers..

Thoughts –

–          If I move to a CSP and they have the same level of security as me, and I am saving money then I am being efficient

–          If I move to a CSP and they have better security than me I am mitigating risk

Help adopters understand why!

–          Adoption rests on clear and simple ROI

Microsoft ‘Cloud Security Readiness Tool’

www.microsoft.com/trustedcloud

Trusted cloud initiative – not there to sell product, just to help organisations (possibly everyone?) to be safer and more secure in the cloud.

This tool addresses the 10 key Cloud Security Control Areas from the CSA guidance.

The tool also allows you to select your industry, then maps this back to the regulatory bodies that are likely to regulate your industry.  This then maps the specific regulations and controls you will need to meet.

Considerations to aid adoption;

–          Consult guidance from organisations such as the CSA

–          Require that provider has obtained their party certifications and audits such as ISO/IEC 27001:2005

–          Ensure clear understanding of security and compliance roles and responsibilities for delivered services

–          Know the value of your data and the security and compliance obligations you need to meet

–          Ensure as much transparency as possible e.g. through STAR (https://cloudsecurityalliance.org/star/) – suppliers such as Amazon and Microsoft already registered here.

This talk was much more about the Microsoft Cloud readiness tool than the CSA STAR (Security, Trust, and Assurance Registry), but was still interesting and I can highly recommend both the STAR registry for CSPs and consumers, and the Microsoft tool.

————

Advanced Persistent Response – Tim Kellermann – Vice President of Cybersecurity – Trend Micro

How might organisations learn from elite hackers?

Stats;

–          52% of companies failed to report or remediate a cyber-breach in 2011 (retains plausible deniability, but we all trade with these companies)

–          A new piece of malware is created every second

–          Trend Micro evaluations find over 90% of enterprise networks contain active malware!

Targeted attacks are becoming increasingly common.  Attackers take time to gain intelligence about you and your networks.

Offence Informs Defence: The Kill Chain;

1. Reconnaissance

2.Weaponization

3. Delivery

4. Exploitation

5. Command and Control

6. Propagation

7. Exfiltration

8. Maintenance

Advanced Malware examples include;

– IXESHE – The attackers behind this advanced malware use compromised hosts inside organisations networks to control other systems.

– Jacksbot – bot malware that is multi-platform across multiple O/Ss including mobile. (check)

We need to conduct more tests and assessments of our environments, using Zeus, BlackHole exploit kit, Metasploit, Spy Eye etc.

Tactical trends in Hacking;

–          Professionalism and Commoditisation of Exploit Kits

–          Man in the Browser attacks becoming more common

–          Android Framework for exploitation (BYOD = BYOM (Bring Your Own Malware)

–          Proximity attacks realised (Microphones turned on in laptops / phones / tablets, Bluetooth attacks)

–          Mobile malware proliferation

–          Application attacks

–          Botnets migrating from IRC to HTTP

–          Attacks against Macs

Cloud security issues / considerations;

–          Server and VM integrity (virtualisation attacks, Inter VM attacks, Instant on Gaps)

–          Network and Intrusion management and monitoring in a cloud / virtual environment

Custom attacks need intelligent and custom defences.  We must recognise that APTs are consistent and part of ongoing campaigns.

Risk management in 2012;

–          Has the cyber security posture of all third parties been audited?

–          Is access to all sensitive systems governed by 2-factor authentication?

–          Does a log inspection program exist?  How frequently are they reviewed?

–          Does file integrity monitoring exist?

–          Can vulnerabilities be virtually patched?

–          In MDM and mobile management software utilised?

–          Do you utilize DLP?

–          Can you migrate layered security into the cloud environment?

–          Do you maintain multi level, rule based event correlation?

–          Do you have access to global intelligence and information sharing?

There was a lot to think about in this presentation from Trend Micro, and it nicely builds on / reinforces the points made both here and at RSA – the attackers are getting increasingly more sophisticated and we need to work hard to not just keep up but to try and get ahead of them.  The closing points under the heading ‘Risk management in 2012‘ are well worth bearing in mind when thinking about your risk management process / strategy.

————————

Aligning Your Cloud Security with the Business: A 12-Step Framework

This talk was actually very light, but I thought I would share the 12 points they covered as the points around creating business cases and defining value in business not IT terms are worthwhile;

Implementing data centric security in the cloud;

Key ingredients – Data, Users, Business Processes, Clouds, Controls, Compliance

Recipe;

  1. Define business relevance of each data set being moved to the cloud
  2. Classify each data set based on business impact – must be business driven, not IT
  3. Inventory data – technical and consultative.  Mentioned that DLP one of the best ways to discover and maintain data inventories.
  4. Destroy (or archive offline) any unnecessary data
  5. Inventory users – into user roles / role types (can do other things as well like geography)
  6. Associate data access with business processes, users, roles
  7. Determine standard control requirements for each data set
  8. Determine Feasible controls for each cloud environment e.g. you can implement far less of your own controls in a SaaS environment vs. IaaS
  9. For each data set, identify acceptable platform based on the required controls and security level of the data
  10. Ensure only users that need access to data have access to it, and that this access is at the appropriate level
  11. Identify and Implement appropriate controls across each cloud environment
  12. Validate and monitor control effectiveness

So to summarise the presentation;

Start with the business context, not the security controls

Classify based on the business value, not the IT value!

K