How to secure an information security environment

January 15, 2014

Lance P. Hawk CFE, CGEIT, CISA, CISM, CRISCcompsecman@verizon.net

About the speaker

Lance Hawk has over 30 years of professional experience in various fields of computer security. He is owner and operator of Computer Forensics and IT Security Solutions, LLC, specializing in computer forensics, threat management and IT security solutions. Lance manages and directs an IT Security, Risk and Compliance program for a local international manufacturing company serving as an Information Security Manager and Chief Information Security Officer. He is proficient in the preservation, identification, extraction, recovery, interpretation, and documentation of computer evidence, including the rules of evidence, legal processes, integrity of evidence, and the factual reporting of the information found. Lance serves as a consultant and trainer in the areas of computer security and computer forensics to law enforcement, government, industry and academia. Previously Lance was the manager of computer forensics and global cyber investigations at Air Products and Chemicals, Inc. Served as Past President Philadelphia InfraGard (FBI and industry partnership), Past President of the Information Systems Audit and Control Association and Past President of the Association of Certified Fraud Examiners chapters

Agenda• Definitions• Information Security Principles• Security Enablers• Information Security Policy• Security Requirements and Priorities Input• Key Success Factors• COBIT 5

– ISSC, CISO, ISM Roles• ISO 27002• Implementing Controls• 20 Essential Security Controls – source www.sans.org• Target Data Breach and Security Best Practices for PoS Systems• Good Sources of Cyber Security Information

Definitions• FISMA - The Federal Information Security Management Act of 2002

recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA has brought attention within the federal government to cyber security and explicitly emphasized a "risk-based policy for cost-effective security.“

• NSA – No Such Agency • ISSC vs. CISO vs. ISM• NIST vs. COBIT vs. ISO 27002 (International Organization for

Standardization – successor to BS17799)

Information Security

Ensures that within your workplace, information is protected against disclosure to unauthorized users (confidentiality), improper modification(integrity) and non-access when required (availability).• Confidentiality means preserving authorized restrictions on access and disclosure,

including means for protecting privacy and proprietary information.• Integrity means guarding against improper information modification or

destruction, and includes ensuring information non-repudiation (an authentication service that provides proof of the integrity and origin of data) and authenticity.

• Availability means ensuring timely and reliable access to and use of information.

The steps to successfully securing information security at your workplace will consist of adopting and successfully implementing information security principles!

Information Security Principles

1. Support the business2. Defend the business3. Promote responsible information security

behavior

Information Security Principles1. Support the business:• Focus on the business to ensure that information security is integrated into

essential workplace activities.• Deliver quality and value to stakeholders to ensure that information security

delivers value and meets business requirements.• Comply with relevant legal and regulatory requirements to ensure that statutory

obligations are met, stakeholder expectations are managed, and civil or criminal penalties are avoided.

• Provide timely and accurate information on information security performance to support business requirements and manage information risk.

• Evaluate current and future information threats to analyze and assess emerging information security threats so that informed, timely action to mitigate risk can be taken.

• Promote continuous improvement in information security to reduce costs, improve efficiency and effectiveness, and promote a culture of continuous improvement in information security.

Information Security Principles cont.

2. Defend the business:• Adopt a risk-based approach to ensure that risk is treated in a consistent and

effective manner.• Protect classified information to prevent disclosure to unauthorized individuals.• Concentrate on critical business applications to prioritize scarce information

security resources by protecting the business applications in which a security incident would have the greatest business impact.

• Develop systems securely to build quality, cost-effective systems on which business people can rely.

3. Promote responsible information security behavior:• Act in a professional and ethical manner to ensure that information security-

related activities are performed in a reliable, responsible and effective manner.• Foster an information security-positive culture to provide a positive security

influence on the behavior of end users, reduce the likelihood of security incidents occurring, and limit their potential business impact.

Security Enablers

• Ethics and culture relating to information security• Applicable laws, regulations and policies• Applicable contractual regulations• Existing policies and practices• Maturity level of the current information security

enablers• Information security capabilities and available resources• Industry practices• Existing and mandatory standards and frameworks

regarding information security

Policy Framework

Information Security Policy• Policy MUST be driven by a controls objectives from COBIT, ISO, etc.• Policies provide more detailed guidance on how to put controls into practice and

how they will influence decision making.– Risk management policy (ISO)– Information security policy (ISO) – Acceptable use policy* – Organization of information security policy (ISO)– Asset management policy (ISO)– Personnel information/Human Resources security policy (ISO)– Physical and environmental information security policy (ISO)– Communications and operation management policy (ISO)– Access control policy (ISO)– Information systems acquisition, software development and maintenance policy (ISO)– Incident management policy (ISO)– Business continuity and disaster recovery policy (ISO)– Compliance policy (ISO)– Vendor management policy (Human Resources)– Mobile device policy (Access Control/Acceptable Use)– Guest wireless policy (Access Control/Acceptable Use)

Wearable Device Policy Google Glass/Pebble Smartwatch

Just by getting Glass to "see" a malicious QR code, an attacker could force a connection to a malicious Wi-Fi or Bluetooth connection, then eavesdrop on all communications. Admittedly, the attack wouldn't trigger a countdown to global doom, but it does highlight the automated, promiscuous network-connecting habits of mobile devices, Glass included

Are you both bald and lost?And want to run a .PPT like

this?Then, I have a deal for you…

Sony Smart WigThere are three versions of the wacky Japanese invention:1) A built-in laser pointer for .PPTpresentations (by tugging the right sideburn and go back a page by pulling on the left)2) One that guides the user to his or her destination using vibrations and an onboard GPS, and 3) Keeps track of body temperature and blood pressure

Security Requirements and Priorities Input

• Business plan and strategic intentions• Management style• Information risk profile• Risk appetite

Key Success Factors• The direction and mandate for the information security initiative, as well as

visible ongoing commitment and support provided by top management• The information security initiative to understand the business and IT

objectives supported by all parties• Effective communication and enablement of the necessary changes

ensured• COBIT 5 for Information Security and other supporting good practices and

standards (ISO 27002)that are tailored to fit the unique context of your business

• Adequate funding and resource commitment• Adequately skilled human resources who can implement the enablers• Focus on quick wins and prioritize the most beneficial improvements that

are easiest to implement

COBIT 5

• COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from information technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use.

• COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking into account the full end-to-end business and IT functional areas of responsibility, considering the IT-related interests of internal and external stakeholders.

Governance vs. Management

• The COBIT 5 framework makes a clear distinction between governance and management. These two disciplines encompass different types of activities, require different organizational structures and serve different purposes.– Governance ensures that stakeholder needs, conditions and

options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

– Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

COBIT Benefits• Reduced complexity and increased cost-effectiveness due to improved and

easier integration of information security standards, good practices and/or sector-specific guidelines

• Increased user satisfaction with information security arrangements and outcomes

• Improved integration of information security in the enterprise• Informed risk decisions and risk awareness• Improved prevention, detection and recovery• Reduced (impact of) information security incidents• Enhanced support for innovation and competitiveness• Improved management of costs related to the information security function• Better understanding of information security including critical security

controls

Control Recommendations Example7 – Wireless Device Control

• Quick Wins - Ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Deny access to those wireless devices that do not have such a configuration and profile.

• Visibility/Attribution - Perform a site survey to determine what areas within the organization need coverage. After the wireless access points are strategically placed, the signal strength should be tuned to minimize leakage to areas that do not need coverage.

• Configuration/Hygiene - Register all mobile devices, including personnel devices, prior to connecting to the wireless network. All registered devices must be scanned and follow the corporate policy for host hardening and configuration management.

• Advanced - Configure all wireless clients used to access private networks or handle organization data in such a way that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by the organization.

• Best in Class – generally with Gartner or Forester or SANS or Tech Republic input.

Target Hack• Target hack was against a PoS system using malware called Dexter.• Guest information separate from the payment card data previously disclosed -- was taken during the data

breach against customers using DB or CR card 11/27 – 12/15– This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation

has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses combine with the credit card data total up to 110 million individuals.

• PoS hardware consists of the device used by customers to swipe their credit or debit card, and the computing equipment electronically attached to the device

• PoS software are the applications that process the data found on the credit or debit card’s magnetic stripe. Key information the software looks for is stored on two tracks:– Track one: Cardholder’s name and account number– Track two: Credit-card number and expiration date– Dexter steals the process list from the infected computer, and dissects memory dumps looking for the track one and

two data • Need to block the following in outgoing firewall rule sets!

– 11e2540739d7fbea1ab8f9aa7a107648.com – 7186343a80c6fa32811804d23765cda4.com – e7dce8e4671f8f03a040d08bb08ec07a.com – e7bc2d0fceee1bdfd691a80c783173b4.com – 815ad1c058df1b7ba9c0998e2aa8a7b4.com – 67b3dba8bc6778101892eb77249db32e.com – fabcaa97871555b68aa095335975e613.com

• Call 1-866-852-8680 if you “qualify” • The primary risk is increased exposure to consumer scams, such as phishing, web scams and social

engineering including via texts!

Your Risk and Target’s Response

• Target is offering one year of free credit monitoring to all Target guests who shopped in U.S. stores, through Experian’s® ProtectMyID® product which includes identity theft insurance where available. To receive your unique activation code for this service, please go to creditmonitoring.target.com and register before April 23, 2014. Activation codes must be redeemed by April 30, 2014.

• Call 1-866-852-8680 if you have any questions • The primary risk is increased exposure to consumer scams,

such as phishing, web scams and social engineering including via texts!

I Received the Following …

Patching a PoS System• Most are windows based• Patch deployment is slow or non-existent because of the many

government and industry regulations; if a company supplying PoS systems updates or changes their product and the change reaches a certain threshold, it has to go through an approval process

• Another reason for slow patch rollout is management has learned to error on the side of caution when it comes to updates, remembering when it was anyone’s guess whether an update installed correctly, bricked workstations, or brought down mission-critical servers

• Therefore, PoS systems are “ripe” for attack

http://www.us-cert.gov/ncas/alerts/TA14-002A

Security Best Practices for PoS Systems

• Use Strong Passwords: During the installation of POS systems, installers often use the default passwords for simplicity on initial setup. Unfortunately, the default passwords can be easily obtained online by cybercriminals. It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names and complex passwords.

• Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches. POS systems, in the same way as computers, are vulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.

• Install a Firewall: Firewalls should be utilized to protect POS systems from outside attacks. A firewall can prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.

• Use Antivirus: Antivirus programs work to recognize software that fits its current definition of being malicious and attempts to restrict that malware’s access to the systems. It is important to continually update the antivirus programs for them to be effective on a POS network.

• Restrict Access to Internet: Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats existing on the internet. POS systems should only be utilized online to conduct POS related activities and not for general internet use.

• Disallow Remote Access: Remote access allows a user to log into a system as an authorized user without being physically present. Cyber Criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, it is important to disallow remote access to the POS network at all times.

Sources• NIST - http://csrc.nist.gov/publications/PubsSPs.html **

– SP800-53 rev4 Security and Privacy Controls for Federal Information Systems and Organizations

– SP800-61 rev2 Computer Security Incident Handling Guide– SP800-92 Log Management– SP800-153 Wireless Control

• COBIT 5 – www.isaca.org• ISO 27002 - http://www.iso27001security.com/html/27002.html#Section5 • SANS – www.sans.org• Incident Response

– http://www.cert.org/ – http://www.us-cert.gov/ and for industrial control systems …– https://ics-cert.us-cert.gov/Standards-and-References