ISF congress post 7: Unmasking the Bogeyman – Cyber Threat Profiling

Unmasking the Bogeyman – Utilising cyber-intellegence and threat profiling to measure threats to your organisation!

Presentation by James R Williams of StateFarm.

 

The number of breaches and issues over the last few years have helped security professionals prove that the bogeyman is indeed real and that there are many real threats to our organisations.  These range from <potentially> government funded malware such as Stuxnet and Duqu, through to attacks against RSA, Sony etc. to denial of service attacks.

However just knowing about these is not enough, we need to be able to measure and quantify these threats in the context of our organisations. This is true for both emerging and realised threats.

Definitions, what is a cyber threat?

  • ” The possibility of a malicious attempt to damage or disrupt a computer network or system” – Oxford dictionaries.

What a cyber threat is not;

  • Vulnerability or exploitability of a given technology or solution.
  • Likelihood of an event occurring
  • Risk to the organisation from a defined threat. (Risk is the product of analysing threat, vulnerability and impact).

 

Threat profiling is a tool / process that can be used to analyse a cyber threat.

This starts with identifying and classifying the threat;

Screen Shot 2013-11-04 at 13.12.16

The threat then needs to be measured in a meaningful and consistent way.  In order to do this a threat scale of 1-10 was created that is made up from accumulated scores around whether the threat is real and current or upcoming, what mitigations are there against the threat etc.  Threat impact categories from NIST are used.  This is demonstrated in the below diagram;

Screen Shot 2013-11-04 at 13.18.02

To add detail and meaning to this score the items in the below diagram need to be considered to understand the scale of the threat, the motivation (how hard the attacker will try, for how long, and with what resources), and also the actions the threat would take e.g. the target of the threat.

Screen Shot 2013-11-04 at 13.23.43

This data can then be incorporated into a Threat Profile table to provide a consolidated view of the specific threat and it’s score.  A slightly tongue in cheek example is shown below;

Screen Shot 2013-11-04 at 13.26.21

This talk links nicely with the earlier talk around the operational risk quantification process here;

http://www.kevinfielder.co.uk/uncategorized/isf-congress-post-5-expect-the-worst-operational-risk-quantification-process/

This profiling could be used as part of or an addition to the risk assessment process.  This would be one of the early steps in the are of understanding threats and what they are in order to then translate them into actual business risks.

A note on data sources;

  • For cyber threats, one of the best sources of data for your organisation is to engage with a mature cyber intelligence / threat intelligence service.  These are costly but can provide very targeted intelligence that has links from criminal underground, government actors, social media, boards such as paste bin etc. and more general news sources.
  • Next to the above are more general sources of threat information such as various industry forums.
  • But also remember many other data sources can be used to add value such as
    • Intrusion Prevention / Detection system logs
    • Incident handling documentation
    • Human resources
    • Physical security assets
    • Security Information and Event Management (SIEM) systems

Some useful reading / guidance on this topic;

US National Institute of Standards and Technology (NIST) – Preliminary Cybersecurity Framework : 

“…The organization uses a formal, threat-aware risk management process…”

US National Institute of Standards and Technology (NIST) – Guide for Conducting Risk Assessments 

NIST Special Publication 800-30

US National Institute of Standards and Technology (NIST) – Computer Security Incident Handling Guideline 

NIST SP 800-61 Revision 2

 

From a cyber / technical threat assessment perspective this presentation has some very good ideas and outputs a relatively simple, easy to use set of scores and information around threats.  It doesn’t yet cover how to ‘chain’ multiple threats together, and does not cover turning it into something for general management / the board.

As mentioned, this would be a great starting point for the earlier process around quantifying operational risks.

K

Cloud Security Alliance Congress Orlando 2012 pt4

Keynote day 2 – panel discussion around ‘Critical Infrastructure, National Security and the Cloud.

Discussions around the role of ISPs in protecting the US from attacks, e.g. by dropping / blocking IP addresses / blocks of IP addresses from which attacks such as DDoS are originating from.

Should they be looking more deeply into packets in order to prevent attacks?  What does this mean for net neutrality and freedom?

How does this apply to Cloud service providers (CSPs)?  What happens when the CSP is subpoenaed by the courts / government to hand over data?  This is another reason why you should encrypt your data in the cloud and ensure you manage the keys.  This means the court / government has to directly subpoena you as the data owner and give you the opportunity to argue your case if they want access to your data.

Should the cloud be defined as critical infrastructure, if so which parts, which providers etc.  Will need to clearly define what means critical infrastructure when discussing the cloud.

Next discussion point was China;  Continuous economic growth means we are more and more involved in trade with China, however they are also stealing huge amounts of proprietary data across multiple industries and literally stealing all of their manufacturing data to copy what is made and how.  According to some vendor reports 95% of all internet based theft of intellectual property comes from China.  This is both from Chinese governmental bodies, and Chinese corporations.

Look up Internet Security Alliance documentation around securing, monitoring and understanding your global manufacturing supply chain.  This document has been strongly resisted by both Chinese Government and companies.  There is a clear need to protect sensitive information and work to reduce global supply chain risk.  Us Government working on constant monitoring capabilities to help corporations monitor their global supply chains.

Proposed that IP theft should be on the agenda for the G20 next year.  Also proposed the US and other countries should have an industrial policy, if they don’t already, that allows the military and intelligence communities to defend corporations and systems that are deemed part of the critical infrastructures.

Counterfeiting is also moving into cyberspace, what do we do with counterfeit infrastructure or counterfeit clouds?

————

A practical, step by step approach to implementing a private cloud

Preliminary points – have you ever decommissioned a security product?  How many components / agents does the “AV” software on your laptop now have?

Why is security not the default?

Why would you not just put everything in the public cloud? – Risk, Compliance – you cannot outsource responsibility!

This is where ‘private cloud’ options come into play.  Could also consider ‘Virtual private cloud’ – this is where VPN technology is used to create what is effectively a private cloud on public cloud infrastructure..

Many organisations have huge spare server capacity – typical results find 80% of servers only used at 20% capacity.  You can create internal elasticity by making this spare capacity part of an internal, private cloud.

5 steps to a private cloud;

  1. Identify a business need– what is your cloud driver?  What will benefit from;
    1.  Greater agility
    2. Increased speed to develop and release,
    3. Elastic processes that vary greatly over time such as peak shopping days, or month end processing etc.
    4. DevOps
    5. Testing
    6. Rapid prototyping

2. Assess your current infrastructure – is there excess capacity?  Is the hardware virtualisation ready?  Can your existing infrastructure scale? (Note that a cloud can be physical, not virtual if this is required).  Is new cloud infrastructure needed?  What are your storage requirements?  What are your data recovery and portability requirements?  How will you support a private cloud with your existing security tools and processes (e.g. where do you plug in your IPS?) – are your processes robust and scalable? – can you monitor at scale?  Can you manage change at scale?

3. Define your delivery strategy – who are your consumers? Developers.  Administrators. General employees. Other?  Competency level of consumers defines the delivery means. (e.g. developers and admins may get CLI, General employees may get the ‘one click’ web portal).  Delivery mechanism matters!  Create a service catalogue.  Ensure ‘Back end services’ are in place

4. Transformation – You cannot forklift into the cloud – legacy applications that do not scale horizontally will not work.  More resources != greater performance.  Need to design in scale and security.  Modernise code and frameworks.   Re-test – simulate cloud scale and failures.  Re-think automation, scale.

5. Operationalize – Think about complete service life-cycle – deployment to destruction.  Resilience.  Where does security fit into this? – Everywhere! – whether applications or services.  Secure design from the ground up – embed into architecture and design – then security no longer on the critical path to deployment!

Overall this was an entertainingly presented talk that was a little light on detail / content, but I thing the 5 points are worth bearing in mind if you are thinking or implementing a private cloud in your organisation.

—————

Cloud security standards;

Talk over-viewing some of the current standards relating to cloud security.  Below is a list of some of the cloud security standards / controls / architectures / guidance that you should aware of if you are working with or planning to work with any sort of public cloud solution.

ITU – 

–          Cloud Security Reference Architecture

–          Cloud security framework

–          Guidelines for operational security

–          Identity management of Cloud computing

ISO  –

–          27017 – guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 2

–          27036-4 – Supply chain security: Cloud

–          27040 – Storage security

–          27018 – Code of practice for data protection controls for public cloud computing services

–          SC7 – Cloud governance

–          SC38

–          Controls for cloud computing security

–          Additional controls for 27001 compliance in the cloud

–          Implementation guidance for controls

–          Data protection implementation guidance

–          Supply chain guidance

NIST – 

–          800-125 – Guide to security for full virtualisation technologies

–          800-144 – Guidelines on security and privacy in public cloud computing

–          NIST cloud reference architecture

OAISIS – 

–          Identity in the Cloud

ODCA (Open Data Center Alliance) – 

–          Provider assurance usage model

–          Security monitoring usage model

–          RFP requirements

CSA – 

–          Cloud Controls matrix

–          Trusted cloud infrastructure

–          Security as a Service

–          Cloud trust protocol

–          Guidance document

The CSA Cloud Controls Matrix maps many of these standards to cloud control areas with details of the specification and the standard components each specification meets / relates to.

While a pretty dry topic, this is a useful reference list if you are looking for more information on cloud / cloud security related standards and guidance.

K

 

Consumerism of IT 2..

Following from my previous post covering briefly what consumerism of IT and Bring Your Own Device (BYOD) are, I’ll now cover some of the things these trend mean for ICT departments.

For any IT business or IT department that thinks they do not need to consider the impacts of consumerism and BYOD – Think again!  Regardless of perceived business benefits such as cost savings or flexibility, or even the side benefits around the improved security and management of utilising VDI to centralise business owned user computing resources, as BYOD becomes more mainstream it will become and expected benefit / perk rather than the exception.

As an example of how this is already becoming more mainstream; several large companies such as IBM and Citrix are embracing this trend and have well established BYOD programs.

Ask yourself, do you want to attract the best talent? If the answer is yes then you need to ensure the working environment you offer is up there with the best of your competitors.  This includes offering things like BYOD programs across mobiles, tablets, laptops etc. and / or offering a wider variety of consumer type devices such as tablets and smartphones.

The challenge, as is often the case, will be to understand how these changes and trends can be harnessed to provide both business benefits and create an attractive working environment while still ensuring the security of your and your customers data and maintaining a stable and manageable ICT estate.

BOYD and consumerism of IT can and will make sweeping changes to how IT departments manage and provision user devices.  Whether this is due to supporting a wider variety of devices directly, or from relinquishing some control and embarking on a BYOD program, there will be changes.  What they are will depend on the route your company takes and how mature your company currently regarding technology such as desktop virtualisation and offering functionality via web services.  If you currently have little or no VDI type solution and most of your application access is via thick or dedicated client software the changes are likely to prove very challenging.  On the other hand, if you are at the other end of the scale with a large and mature VDI (Virtual Desktop Infrastructure) deployment along with most applications and processes being accessed via a browser, then the transition to more consumer or BYOD focussed end user IT will likely be relatively straight forward from a technical standpoint.

Without sounding like a broken record (well hopefully) the first thing you need to do before embarking on any sort of BYOD program is to get the right policies and procedures in place to ensure company data remains safe and that there are clear and agreed rules for how any devices can be used, how they can access data, how access, authentication and authorisation are managed, along with the companies requirements around things like encryption and remote wipe capabilities.

NIST (National Institute of Standards and Technology) have recently released an updated draft policy around the managing and securing mobile devices such as smartphones and tablets.  This policy covers both company owned (Consumerism) and user owned (BYOD) devices.  This can be used as a great starting point for the creation of your own policies.  It’s worth noting that NIST highlights BYOD as being more risky than company owned devices even when the devices are the same.  The policy draft can be found here;

http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

Once you have the policies in place you will need to assess the breadth of the program, this must include areas such as;

–         Will you allow BYOD, or only company supplied and owned equipment

–         Which devices are allowed

–         Which O/Ss and applications are permitted; this should include details of O/S minor versions and patch levels etc.

–         How will patching of devices and applications be managed and monitored

–         What levels of access will the users and devices be permitted

–         What architectural changes are required to the environment in order to manage and support the program

–         How will licenses be managed and accounted for

–         What are the impacts to everything from the network (LAN, WAN and internet access) to applications and storage to desk space (will users have more or less devices on their desks) to the provision of power (will there be more devices and chargers etc. on the floors)

This is by NO means an exhaustive list, the point of these posts is to get you thinking about what is coming along, and whether your company will embrace BYOD and the consumerism of IT.

CIO.com recently ran an article titled ‘7 Tips for Establishing a Successful BYOD Policy’ that covers some similar points and is worth a read;

http://www.cio.com/article/706560/7_Tips_for_Establishing_a_Successful_BYOD_Policy

There are several useful links from the CIO article that are also worth following.

It would be great to hear your thoughts and experiences on the impacts of consumerism and BYOD.

K