Computing Summit – Enterprise Security and Risk Management 2014 part 2

Protecting against phishing and social engineering techniques – Neil Thacker – Websense

90% of all attacks begin with email – phishing / spear phishing.  Spear phishing is the most common vector into companies.

Success = Talent + Luck.

In spear phishing – Talent = making the email seem as real as possible.  Luck = someone clicking on it and the malware or similar running / user clicks link.

Take away points;

People and Process;

–          Limit the information you share about yourself online

–          Verify all messages with links and attachments

–          “Catch of the day” gameification program

Technology;

–          Link email and web events in real-time

–          Real-time user education at point-of-click

–          Measure and phish at risk employees… with permission

 

Useful link for people to see if a link they have been sent may be malicious; http://csi.websense.com

 

Securing Mobile – The new enterprise desktop

Presentation by Entrust

Mobile and traditional ‘desktop’ worlds are colliding.

People have multiple identities across devices and systems, both personal and work.

Huge numbers of people using personal, BYOD, devices to access corporate systems.

Growing mobile and ‘always on’ workforce.

–          Sensitive information now travels outside of the office to the home, car, gym, anywhere

One breach leads to..

–          A successful attack on one identity has the potential to open the door to all other identities; social engineering, same or similar passwords used etc.

Mobile – A unique blend of security and usability;

–          Mobile devices have powerful features built in that organisations can leverage

o   Application sandbox

o   Crypto

o   Biometrics

o   Secure elements

–          Users want to carry them – always in hand, always connected, convenient, support work / personal balance

–          The good – Applications signed and vetted, applications sandboxed, GPS, Bluetooth, biometrics and cryptography

–          The bad – Malware in apps, apps can view other data such as SMS etc, jailbroken devices, insecure logons (e.g. simple pins, finger print smudges, weak biometrics etc.)

 

Mobile Smart Credential Concept (Entrust product) – phone used for physical and logical access – Physical access to building, logical access to systems, digital signatures, encryption, cloud, vpn, out of band alerts to confirm transactions.

.Mobile – a catalyst for change.

Talk was pretty much a product sales pitch, but a few interesting points.

 

Redefining Network Security: Detecting and preventing Advanced Persistent Threats

Presentation by Paloalto

Another one starting with the attack kill chain;

–          Breach perimeter

o   Initial compromise

–          Deliver Malware

o   Deliver malware and communicate with attacker

–          Endpoint operations

o   Move laterally and infect additional hosts

–          Exfiltrate data

o   Steal intellectual property

Prevent attacks by stopping one step in the kill-chain.

Attackers disguise attacks in other traffic – specially crafted UPD packets, DNS, https, skype traffic (e.g. customised encryption, port hoping etc.).  Many ways to hide and exfiltrate data, it’s not always obvious, or obviously malicious traffic.  We focus heavily on web / email / known bad traffic, but are we looking in the right places? Are we missing data leaving via less obvious or assumed OK channels?

Requirements – Detect and Prevent

Detect unknown threats, prevent all known

–          Automatically detect unknown threats and makes them known.  Prevent all known threats – they are known after all so there should be little excuse for missing these!

Prevent across all networks – provide consistent security across the environment

–          Prevents threats at; internet edge, data centre edge, between VMs in the DC, between mobile devices and core systems etc.

Closed-loop protections

–          Closed feedback loop creates shared protections for all systems in your environment, and ideally all customers via sharing in the cloud.

Talk became a product overview of the Palo Alto solution, but the above points are I think relevant generally.

 

Computing Summit – Enterprise Security and Risk Management 2014 part 1

I attended the Computing magazine Enterprise Security and Risk Management summit a while ago and thought I should share some of the notes I made during the day.

As always these are pretty raw notes that I took on the day.

Risk assessment and data classification is key to understanding which data must be secured, and how.  This is however challenging as the goal posts constantly move.  For example is the most sensitive data that which would have the greatest financial impact if lost, or would it be that which is most confidential.  Time is often a factor, for example a charity has stated that it’s systems being down have a much greater impact over Christmas rather than during the school holidays; another example is a sales organisation, when a large deal is imminent the data is hugely valuable and sensitive, as soon as the deal is done, the data is public.

Prioritising which data must be protected, and when is key to enabling an intelligent, risk based approach to security.

For me this is such an obvious premise.  Without data classification most DLP type tools are of limited value.  Yes they can look for obvious things like a credit card number of specific keywords / phrases, but they will miss most things your business considers of value unless you tell them what is of value by classifying it!  This is an area many companies seem to fail on, yet classification is critical to enable appropriate handling and controls to be implemented around your data.

Panel discussion: Effective information security risk management – making the business case for investment.

Focus on how to engage and communicate at board level.

Ensure the board understands risk and regulations etc.

Understanding the culture of the organisation and the primary concerns of the board are key.  The need for and benefits of security can then be sold to the board in terms of how it will protect / drive / benefit the business and better enable it to achieve its key goals.

Ensure there is a balance between security and usability.  Security must enable the business goals in a secure manner, not hinder them in the name of being secure.

Security must understand the business;

–          What is the impact to the business from potential issues / threats if they are realised?

–          What is the impact to usability / customer experience / profit etc. of implementing controls to remove / mitigate / reduce the risk

–          What is the environment the business operates in, use examples of similar businesses or businesses in similar business sectors who have been breached or who have implemented similar security controls

Education and awareness are also key, IT may be able to implement security controls and monitoring, but security and working securely is everyone’s responsibility within the organisation.

Brief comments on supply chain management / security.  For medium to large suppliers, contracts are key, for very small suppliers contracts are important, but working more collaboratively is likely more important as they will not be set up for large complex corporate contracts.  Fostering long term relationships works better and will provide better outcomes than changing every year just to save cost – this long term approach develops trusted relationships with partners who understand your business.

 

Information Security Transformation – Matt Denny, Marks and Spencer

Historically M&S was very security focused, but in the traditional castle around all the data.  This often made it very hard for people to do their jobs.  As an example when he stated staff in the stores couldn’t access the M&S website as it wasn’t approved by security!

Built out a team of experts, some in security and some with a strong retail focus.  Worked hard to ensure security is appropriate across the business – what do we really need to protect, how should we enable the business?

Focus on quietening the noise – dealing with issues that hinder peoples work, so conversations with the board weren’t about the issues people complained about.

Driven a culture of accountability and ownership.  Current DR manager and PCI / compliance manager had not previous experience in those specific areas.  Asked what they needed, training etc. then made accountable once they had what they need.

Some key take away points;

–          Know your business needs

–          Build strategy, communicate and live by it

–          Implement an SDLC and take application security seriously

–          Identity and application management doesn’t have to be hard

–          Invest in your people…. Invest in your people…..

–          Work with people, not companies

–          Trust no-one – check and verify

Message Matt presented to the M&S board on infosec security for the next year;

–          Prepare for the worst

o   Know your weaknesses

o   Be able to detect the attacks

o   Practice your response

–          Stay ahead of the bad guys

o   Research and learn

o   Invest in your people

o   Innovate and deploy effective tech

–          Get more from what you have

o   Use as much functionality as you can

o   Legacy can still be king!

 

Also of note – First security awareness to whole business was a simple video about staying safe online at home as well as work.  General focus on staying safe online; if someone can create a safe Facebook password, they can create a safe work one!

Great talk highlighting how important it is to get the right message to the board, and how simple this message, plus security awareness can be.

Understand your business, the key drivers, invest in people and ensure you get your message to the board in language they care about.

K

ISF Congress Post 5: Expect the worst; Operational risk quantification process

Expect the worst case;

Approach for quantifying operational risks – special focus on cyber security risks

Presentation by Hanno Lenz for the ERGO Insurance group

ERGO splits risk management into three categories / lines of defence;

  • Risk Taker (Owner) – Business line
  • Risk Controller – Risk Management
  • Independent Assurance – Internal Audit

 

This is then further split into lines of business and risk categories (Strategic Risks, Market and credit risks, operational risks, liquidity risks, repetitional risks).

This presentation had some excellent graphics highlighting their risk process, how they move from threats to risks, how to assess the probability, impacts and then the actual risk.  This process is outlined below.  Click on the images for a larger view.

 

They created this Security and Continuity Risk management model;

Screen Shot 2013-11-04 at 09.38.08

This model for working through from threats to the actual risks;

Screen Shot 2013-11-04 at 09.39.15

The process they follow from threat to actual business risk and impact is outlined in the diagrams below.

Assessing the Probability of the threat occurring;

Screen Shot 2013-11-04 at 09.42.44

Assessing the Impact should the risk occur;

Screen Shot 2013-11-04 at 09.44.35

And finally, working out the actual risk by combining the probability with the impact;

Screen Shot 2013-11-04 at 09.46.09

 

I think this provides a very good, easy to understand overview of a relatively simple and workable risk assessment process.

Remember in order to make any risk assessment process success and for the results to be worthwhile you need to ensure the input data is as accurate as possible, and also that the analysis is performed by people with the relevant expertise.

For the inputs, ensure you consult with the business streams, have an in depth understanding of the organisation, it’s IT structure, where the data and applications are, the number of employees, office locations etc.  Also ensure you have engaged with the BCM teams to understand recovery requirements and plans, recovery costs, degree of outsourcing etc.

For the outputs, as well as the IT security and BCM teams, ensure you have the right experts for creating realistic examples, creating actual security situations, estimating the costs of the risk should it occur, and also experts in mathematical modelling so that the results are modelled correctly and not just estimates.

K