disclaimer: opinions or points of view expressed are those ...€¦ · for more see: ‘learning...

DISCLAIMER: Opinions or points of view expressed are those of the author and do not reflect the position of any other organization.

WELCOME TO SECURE360 2013Don’t forget to pick up your Certificate of

Attendance at the end of each day.

Please complete the Session Survey front and back, and leave it on your seat.

Are you tweeting? #Sec360 @steenfjalstad

2

AGENDA• Overview• Background• Ground Rules

• Nuances• Security Program• Risk• Standards & Frameworks• Cyber Security

• Fast Break Demo

• The Security Journey

• Simple Security Model (exercise)

• Wrap-up

3

KISS (HOW MUCH SECURITY IS ENOUGH?)

BACKGROUND

About this presentation:•Ah-Ha. Where do I start, go next?• Struggle. How much is enough or is that too much?•Knowledge. Many available sources.•Tool. Something to add to your security tool belt.• Source. Time for me to share. Historical and fact based. • Lets go. Continue the dialog…

Security: freedom from danger, risk, etc.; safety.

Cyber Security: measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.

Source: merriam-webster.com5

BASIC GROUND RULE 1 OF 3

Security is an ∞ journey, ≠ destination.

6


Even the most secure systems will be compromised.

7


$ecurity <> Security

“It's possible to spend a fortune on security, but if it's done poorly, it doesn't help a business,” -

Gartner Consulting (2010) 8

Est. $337 Billion on IT Security 2006-11

Est. 5,114 data loss incidents 2006-11

IT Budget as a percentage of overall revenue* or operating expense** (2011 Garner Report):• 3.5% Commercial organizations*• 6.0% Technology-intensive*• 4.5% Media, entertainment , professional services*• 8.5% Government**• 4.8% Education**• NA not-for-profit

IT Security Spending as a percentage of IT Budget (2010 Gartner Survey):• 5% total IT budget spent on Security

Survey deep dive:• 37% is spent on personnel• 25% on software• 20% on hardware• 10% on outsourcing• 9% on consulting

$525/yr per employee 2009

NUANCES OF A SECURITY PROGRAMTechnology Security

• Computer & Network Security• Firewalls• DDoS, Viruses, Worms,

Crimeware• System Hardening• Encryption• Engineering• Intrusion Prev./Intrusion

Detection• Incident Response• Access Controls/Change Mgmt.• Security Information & Event

Management (SIEM)

Information Security• Risk Management• Business Continuity & Disaster

Planning• Awareness Training• Intellectual Property• Business/Financial Integrity• Regulatory Compliance &

Auditing• Industrial Espionage• Privacy• Forensics & Investigations• Data Loss Prevention

Strategic Security• Terrorism & Cyber Crime• Regional Interests (Including

Cyber and Natural Disaster)• Nation State Interests• Intelligence Analysis• Professional & Trusted

Alliances• Politics• Strategies and Tactics• Red Teaming & simulated

attacks*

Modified from Source: University of Washington

Technical Problems Business Problems Critical Security Problems

People, Process, Technology

Continued Research

CSO/CISO = Chief of What?

10

NUANCES OF RISK

Known Consequences• Loss of data• System Outage• Traffic light DDoS• Airport Runways (Chicago)• Loss of Reputation

Known Vulnerabilities • Patch Management• Weak Code & Weak

Configuration• FUZZING

• Information leakage• Poor Passwords (default)

• PADDING• User Credentials (default)• Insiders• Spearphishing

• EMAIL ALIAS

Known Threats • OpUSA (May 7-9)..maybe• APT1 (Mandiant)• BRIC• Insiders• Cyber Jihadists• You….yes, you!• Various Breach Reports

(Verizon, Symantec, etc.)

11

Known Risk & Unknown Risk

Risk Management must include adaptability & resiliency (1st nod to the animal kingdom).

Unknown Threats • BLACK SWANS• Cyber Pearl Harbor

Unknown Vulnerabilities • 0 Day• Achilles heel

Unknown Consequences • Atomic, biological, chemical• Drone Compromise

NUANCES OF STANDARDS & FRAMEWORKS

12

“Organizations have made compliance in general the basis of their information security policies. As a community, we have not evolved at all. “

-Joshua Corman, 2009

NUANCES OF CYBER SECURITY

Traditionally Cyber Security focuses on (NIST 1995):• Confidentiality: A requirement that private or confidential information not

be disclosed to unauthorized individuals.

• Integrity: Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

• Availability: A requirement intended to ensure that systems work promptly and service is not denied to authorized users.

Cyber Security is using people, processes, & technologies … increase electronic information & communication system confidentiality, integrity, and availability …

@ an acceptable level…13

INTEGRITY

Bloomberg: “the hoax erased $136 billion in equity market value in 3 minutes.”

NUANCES OF CYBER SECURITY, CONT.

CONFIDENTIALITY

April 2011 – 70 million individuals had user names, passwords, birthdays, other personal information stolen.

CIA triad to classify cyber breach

Recent security events tied directly to Confidentiality, Integrity, Availability.

14

AVAILABILITY

Multiple bank web-sites down due to DDoS April 2013. Software issue caused hundred of flight cancelations April 2013.

Stay up on breaches, hacks, exploits…if you don’t have that vulnerability don’t mitigate.

NUANCES OF CYBER SECURITY, CONT.

Confidentiality: All electronic information and physical access is limited to individuals with a need to know.

Integrity: All electronic and physical component user and system change is controlled and monitored to prevent and detect any and all additions, changes, and removals.

Availability: All electronic and physical components are available and recoverable.

15

CIA based security controls – Internal

“By failing to prepare, we are preparing to fail.” – Ben Franklin

NUANCES OF CYBER SECURITY, CONT.Confidentiality: Out of the box software

must allow for all electronic and physical component information to only be accessed by individuals with a need to know.

Integrity: Out of the box software must allow for all electronic and physical component user and system changes to be controlled and monitored to only allow authorized and prevent unauthorized additions, changes, and removals.

Availability: Out of the box software must allow for all electronic and physical components to be available and recoverable.

CIA based security controls – Software & Vendor

“An ounce of prevention is worth a pound of cure.” – Ben Franklin

2008 Cyber Security Procurement Language for Control Systems Version 1.8 (DHS, INL, MS-ISAC, SANS)

16

FAST BREAK - DEMODEMO:• Integrity: OS integrity will be changed - system event log will have shutdown event inserted.• Confidentiality: Access to box could happen by obtaining passwords through unencrypted

traffic (post-it note). (This demo shows Armitage….it works.)• Availability: System shut down – game over.

18

‘shutdown -s -t 900’ (-t 00 = immediately)

‘shutdown –a’

Availability ‘Payload’

http://www.fastandeasyhacking.com/images/screenshots/armitage4.png

THE SECURITY JOURNEY. FOOTBALL

Security in the game of football is easy…if only everything were…

20

1908 Ford Model T• Laminated glass (1930)

http://commons.wikimedia.org/wiki/File:1926_Ford

1926 Ford Model T• Turn signals (1939)

Little harder…

Pont A-B

Night driving

THE SECURITY JOURNEY. CARS

21

2009 Lincoln MKS• Early Collision Warning

Brake Support (2000s)

Inattentive driver

THE SECURITY JOURNEY. ‘WHAT’S NEXT?’Extremely sensitive and

important data. *No visitors allowed.

http://www.swissfortknox.com

“Resistant against any known civil, terroristic and military threat (ABC, EMP, earth quakes, floods, landslides and large-scale fires)”

22

THE SECURITY JOURNEY. YOUR COMPANY

Information, cell phone, door, window, document, object, computer, person, place, thing, formula, etc.

23

What is the security journey for your industry or company like? Anyone ?

SIMPLE SECURITY MODEL 1. What are you securing? Must always start here.2. Define the World. 3. Define the Threats.

4. Define the Loss.5. Define the Security Measures (Spend or Mitigation).6. Define what will not be Secured (Spent or Mitigated).

25

Modified from Source: University of Minnesota – Twin Cities ( CSC5271 - KTB!)

If the security program cannot tie back to the object being secured, then the program

must change.

SIMPLE SECURITY MODEL - ANIMAL EXERCISE

26Cheetah, Elephant, Gazelle, Giraffe, Gnu (wildebeest), Gorilla, Hippopotamus, Lion, Ostrich, Rhinoceros

1. What are you securing? Using your animal (think of one if need be). Your animal is what you are securing.2. Define the World. What is the world the animal lives in?3. Define the Threats. What will compromise the animal?4. Define the Loss. What bad stuff can happen (include extremes)?5. Define the Security Measures (Spend or Mitigation). What has the animal developed to deal with these threats and losses?6. Define what will not be Secured (Spent Mitigated). What will the animal not worry about?

Work by yourself, 1:1, groups, please take 3 minutes to talk and work out this exercise…

27

Work by yourself, 1:1, groups, please take 3 minutes to talk and work out this exercise…

SIMPLE SECURITY MODEL - ANIMAL EXERCISE1. What are you securing? Using your animal (think of one if need be). Your animal is what you are securing.2. Define the World. What is the world the animal lives in?3. Define the Threats. What will compromise the animal?4. Define the Loss. What bad stuff can happen (include extremes)?5. Define the Security Measures (Spend or Mitigation). What has the animal developed to deal with these threats and losses?6. Define what will not be Secured (Spent Mitigated). What will the animal not worry about?

Cheetah, Elephant, Gazelle, Giraffe, Gnu (wildebeest), Gorilla, Hippopotamus, Lion, Ostrich, Rhinoceros

28

By using security lessons from nature we realize that animals are only secure enough for the world they live in…and sometimes they do go extinct….but they are extremely resilient and adapt when faced with unknowns….and have 3B years of lessons for us to learn from.

• Define the Security Measures (mitigation):• Size: The largest lion was recorded to be nearly 700

pounds and nearly 11 foot long.• Age: The oldest lion on record was nearly 29 years

old.• Vision: A lion's eyesight is five times better than a

human being.• Hearing: A lion can hear prey from a mile away.• Smell: Lions can smell nearby prey and estimate

how long it was in the area.• Sound: A lion's roar can be heard from five miles

away.• Diet: Lions can go four days without drinking.• Humans and conservation projects (extra)

• Define what will not be Secured.• Humans & Guns• Habitat Reduction

Sample Results: Lion• Define the World:

• African Plains & Jungle• Define the Threats:

• Humans & Guns• Loss of Habitat• Drought• Hunger• Other Lions & Animals

• Define the Loss:• Death• Capture• Extinction

For more see: ‘Learning from the Octopus – How Secrets from Nature can fight terrorist attacks, natural disasters, and disease’ – Rafe Sagarin

SIMPLE SECURITY MODEL - ANIMAL EXERCISE1. What are you securing? Using your animal (think of one if need be). Your animal is what you are securing.2. Define the World. What is the world the animal lives in?3. Define the Threats. What will compromise the animal?4. Define the Loss. What bad stuff can happen (include extremes)?5. Define the Security Measures (Spend or Mitigation). What has the animal developed to deal with these threats and losses?6. Define what will not be Secured (Spent Mitigated). What will the animal not worry about?

BUT ANIMALS ARE NOT COMPUTERS…

Idea, object, door, window, document, computer, laptop, tablet, person, place, thing, formula, etc:• Cell phones • Databases• Intellectual property• Employee records• Patient records• Internet Connectivity• Insiders• Etc.

29

1. What are you securing? Using your <object> (think of one if need be). Your <object> is what you are securing.2. Define the World. What is the world the <object> lives in?3. Define the Threats. What will compromise the <object>?4. Define the Loss. What bad stuff can happen (include extremes)?5. Define the Security Measures (Spend or Mitigation). What has the <object> developed to deal with these threats and losses?6. Define what will not be Secured (Spent Mitigated). What will the <object> not worry about?


must change.

WRAP UP

31

1. What are you securing? Must always start here.2. Define the World. 3. Define the Threats.4. Define the Loss.5. Define the Security Measures (Spend or Mitigation).6. Define what will not be Secured (Spent or Mitigated).


must change.

EXTRA LESSON TIME - ANIMALS (INSECTS)DDoS (DNS Re-routing lesson from ants):

“When an established path to a food source is blocked by an obstacle, the foragers leave the path to explore new routes. If an ant is successful, it leaves a new trail marking the shortest route on its return. Successful trails are followed by more ants, reinforcing better routes and gradually identifying the best [new] path.”

-Goss S, Aron S, Deneubourg JL, Pasteels JM (1989). "Self-organized shortcuts in the Argentine ant"

Under Attack (Information sharing lesson from ants):“Ants use pheromones for more than just making trails. A crushed ant emits an alarm pheromone that sends ants into an attack frenzy and attracts more ants from farther away. “

-D'Ettorre P, Heinze J (2001). "Sociobiology of slave-making ants".

33

SLIDE REFERENCES

34

3:

http://farm4.static.flickr.com/3103/2853985315_b8805e2eb6.jpg

http://www.secmeme.com/2011/03/too-much-security.html

http://eveopportunist.blogspot.com/2013/01/corp-security-part-1-risks-without.html

6:

http://www.scenicreflections.com/media/522287/forrest_trail_Wallpaper/

http://pixdaus.com/files/items/pics/1/90/274190_2a5dba1dae456cf9576bfad78d36438f_large.jpg

http://www.altaplanning.com/App_Content/images/fp_img/pacific_crest_trail_fld.jpg

http://www.wallpaperhi.com/thumbnails/detail/20111201/fall_trail.jpg

http://www.ganeshbhandari.com/wp-content/uploads/2011/07/Mount-Everest-1.jpg

7:

http://teachersites.schoolworld.com/webpages/KJordan1/imageGallery/DinosaursRef1.gif

http://upload.wikimedia.org/wikipedia/commons/f/f1/Maginot_Line_ln-en.jpg

http://www.reuters.com/article/2012/09/12/us-usa-security-nuclear-idUSBRE88B06E20120912

8:

Source: http://money.cnn.com/galleries/2011/technology/1107/gallery.cyber_security_costs/4.html

Source: http://datalossdb.org/statistics

Source: http://en.community.dell.com/dell-groups/dell_it_efficiency_metrics/w/overall_it_performance_metrics/it-spending-as-a-percent-of-overall-revenue.aspx

Source: http://www.computerworld.com/s/article/9187239/How_much_should_you_spend_on_IT_security_

16:https://www.asis2012.org/news/announcements/Documents/Utility%20Smart%20Grid%20Security.pdf?Mobile=1&Source=%2Fnews%2Fannouncements%2F_layouts%2Fmobile%2Fview.aspx%3FList%3D05cf25b5-c813-402e-8766-26867cdd4b7a%26View%3D8779b205-936e-4b86-aabb-f36578c11b8e%26CurrentPage%3D1

http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurement_Language.pdf

20:http://thumbs.dreamstime.com/z/nfl-football-field-eps-16199956.jpg

http://www.popularmechanics.com

_Model_T_-_back_view.jpg

http://en.wikipedia.org/wiki/File:Collision_Warning_Brake_Support.jpg

27:http://www.brecknock.com/colimonb

28:http://www.lions.org/lion-the-animal-more.html