Upload
david-knox
View
190
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
A Pragmatic Approach to a Secure Information Environment
David KnoxVP TechnologyOracle National Security Group
Insert Picture Here
Pharming and Phishing
Ways to obtain phood
The Devil's Infosec DictionaryCSO online (http://www.csoonline.com/read/080105/debrief.html)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
Lessons Learned from Childhood
Ready or not, here they come– Need to know why you are doing what you are doing
– Assumptions, motivations, and approach to complexity
Hidden in plain sight– Strategies exist for defense and detect, tools exist, need practical balance
Safety on base using the basics– Policies, enforcements, governance
– Security thought of not as simple user, role, resource but based on holistic context
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Cyber Security is a Complex Topic
Forensics
Network security – FWs, IDS, IPS, Encryption, Mobile …
& what this discussion is not about
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Breached using weak or stolen credentials
Preventable with basic controls
76%
97%
Records breached from servers67%
Over 1.1B Served Discovered by an external party69%
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Data
Protection in Context
Privacy &integrity ofdata
Monitoring & auditing
Privacy &integrity ofcommunications
uthenticateNetwork
Authentication Accesscontrol
KNOX 12029
KYTE 17045
CAREY 12032
HOECHST18029
PIERMAR 17170
SCOTT 14220
KING 18031
SMITH
gAMES
fONES
MIER
ByAgE
SCOjd
sfINGOrg 10
Org 20
Admin
Org 30
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Ready or Not!
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
What’s Driving Security
for “normal” people
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
“A” is for Assets
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
“B” is for Brand
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
Sarbanes-Oxley
Patriot Act
PCAOB Audit
PA SB 705
IL SB 1479
ND SB 2251
WA SB 6043
PIPEDA
OFACNIST
HSPD-12
FTC 16 CFR 314
FISMA PL107-347FERPA
FIPS 140-1 & 201
EU Privacy
GLB
21CFR Part 11 CA SB 1386
Basel II
BSA
HIPAA
Compliance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
“You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….”
Anatomy of an Attack
Uri RivnerCTO, RSA (Security Division of EMC)
Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.
Mission Critical
Term used to help hackers identify their targets
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Basic Assumptions Provide the Foundation
Kerckhoff’s Principle/Shannon’s maxim: The enemy knows the system
The malicious persons/code have infiltrated your environment
Insider attack has to be addressed
Establish the mindset
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Checkpoint
Assume compromise
ABC’s– Threats often incomparable
– Impact: Resulting damage can be the same
Looking for solutions which apply to all dimensions:– Cyber
– IT Security
– Risk & Compliance
– Privacy
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Hidden in Plain Sight:Defining the Approach
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
A Simplified FrameworkPolicy Driven Security Description Possible States
Define Policies • Rules that govern what people can and cannot do
• Exist/Don’t Exist
• Ambiguous
• Ignored
Enforce Policies • IT controls to ensure compliance to policies
• Preventive measures put in place to proactively defend IT and information assets
• Exist/Don’t Exist
• Enforced/Unenforced
• Effective/Ineffective (Impractical)
• Intentionally bypassed/Unintentionally bypassed
Manage & Monitor Policies • Governance: Ability to control and understand who has access to what
• Provisioning/de-provisioning based on least privileges and separation of duties
• Automation to ensure policy enforcements
• Exist/Don’t Exist
• Complete/Incomplete
• Practiced/not practiced
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State
Disclosure of sensitive material
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored • Effective• Practiced
• Unintentionally bypassed
Unauthorized access to sensitive material
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Unauthorized access to databases
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State
Disclosure of sensitive material
• Exists • Exists• Exists
• Unambiguous • Enforced• Complete
• Ignored • Effective• Practiced
• Unintentionally bypassed
Unauthorized access to sensitive material
• Exists • Exists• Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Unauthorized access to databases
• Exists • Exists • Exists
• Unambiguous • Enforced • Complete
• Ignored• Effective
• Practiced• Unintentionally bypassed
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Two Questions
1. Are the enforcements linked to the policies?
2. Do the system components function as a system?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Password Policy Example
Cannot be similar to user’s name Cannot be easily guessable Must be at least 12 characters in length Contains upper and lower case characters Contains at least one special character Contains at least one number Rotated every 90 days Cannot be re-used for 5 years
My current password:
“This1is2Hard!”
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Passwords
Authentication tool that, when properly implemented, drives growth at the help desk
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Balancing the Business
Usability
PerformanceSecurity
x
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Practicing Good Cyber Security HygieneWe already know how to do this!
Defensible Systems– Integrated security controls
– Full stack instrumentation
– Establish and attest a secure environment
Resilient Systems– No SPOF: Fault tolerant, agile
– Graceful degradation
– Quickly recoverable
Containment– Isolation
– Virtualization
– Detect & response
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Safety on Base:Using the Basics
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Securing Today’s Enterprise InformationFocus on securing the operational environment transparently
Data
Security
Enforcement
Administrators
Users
Developers
1. User’s session establishes key factors for security decisions
2. Centralized decision point used for authorizations of tasks
3. Enforcement points can verify, validate and add context
4. Monitor for anomalous actions5. Audit critical actions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Concluding Points
Understand and secure human-data interactions
Need to know why you’re doing what you are doing– Approach & Principles
– Keep it simple, intuitive
New security is not based on users & roles but signatures, context & services
Security components should not be separated, disjoint from enforcement– Policies, enforcements, governance all have to work together.
Deny All; Allow Legitimate
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Final, Final Concluding Points
Ready or Not– The perfect is the enemy of the good
– Need good perception and agility
Hiding in Plain Sight– The enemy may not be obvious
– You should not be obvious
Safe on Base– Know your digital economy
– Apply proven, natural and intuitive practices
Recursive
See Recursive
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31