International Conference on Cyber Security, Hide and Go Seek

A Pragmatic Approach to a Secure Information Environment

David KnoxVP TechnologyOracle National Security Group

Insert Picture Here

Pharming and Phishing

Ways to obtain phood

The Devil's Infosec DictionaryCSO online (http://www.csoonline.com/read/080105/debrief.html)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3

Lessons Learned from Childhood

Ready or not, here they come– Need to know why you are doing what you are doing

– Assumptions, motivations, and approach to complexity

Hidden in plain sight– Strategies exist for defense and detect, tools exist, need practical balance

Safety on base using the basics– Policies, enforcements, governance

– Security thought of not as simple user, role, resource but based on holistic context


Cyber Security is a Complex Topic

Forensics

Network security – FWs, IDS, IPS, Encryption, Mobile …

& what this discussion is not about


Breached using weak or stolen credentials

Preventable with basic controls

76%

97%

Records breached from servers67%

Over 1.1B Served Discovered by an external party69%


Data

Protection in Context

Privacy &integrity ofdata

Monitoring & auditing

Privacy &integrity ofcommunications

uthenticateNetwork

Authentication Accesscontrol

KNOX 12029

KYTE 17045

CAREY 12032

HOECHST18029

PIERMAR 17170

SCOTT 14220

KING 18031

SMITH

gAMES

fONES

MIER

ByAgE

SCOjd

sfINGOrg 10

Org 20

Admin

Org 30


Ready or Not!


What’s Driving Security

for “normal” people


Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

“A” is for Assets


“B” is for Brand

http://www.pg.com/en_US/index.jhtml

http://www.bankofamerica.com/

https://www.wellsfargo.com/

http://www2.coca-cola.com/index.html

http://niketown.nike.com/niketown/catalog/id_configurator.jsp?productID=Bruin&categoryId=303546&productGroup=59200

http://www.polo.com/home/index.jsp?clickid=topnav_logo_img

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

Sarbanes-Oxley

Patriot Act

PCAOB Audit

PA SB 705

IL SB 1479

ND SB 2251

WA SB 6043

PIPEDA

OFACNIST

HSPD-12

FTC 16 CFR 314

FISMA PL107-347FERPA

FIPS 140-1 & 201

EU Privacy

GLB

21CFR Part 11 CA SB 1386

Basel II

BSA

HIPAA

Compliance


“You don’t bother to just simply hack the organization and its infrastructure; you focus much more of your attention on hacking the employees….”

Anatomy of an Attack

Uri RivnerCTO, RSA (Security Division of EMC)

Targets Increasing as Attacks Evolve DBAs, OS Admins, Developers, Multiple Copies of the Data, etc.

Mission Critical

Term used to help hackers identify their targets


Basic Assumptions Provide the Foundation

Kerckhoff’s Principle/Shannon’s maxim: The enemy knows the system

The malicious persons/code have infiltrated your environment

Insider attack has to be addressed

Establish the mindset


Checkpoint

Assume compromise

ABC’s– Threats often incomparable

– Impact: Resulting damage can be the same

Looking for solutions which apply to all dimensions:– Cyber

– IT Security

– Risk & Compliance

– Privacy


Hidden in Plain Sight:Defining the Approach


A Simplified FrameworkPolicy Driven Security Description Possible States

Define Policies • Rules that govern what people can and cannot do

• Exist/Don’t Exist

• Ambiguous

• Ignored

Enforce Policies • IT controls to ensure compliance to policies

• Preventive measures put in place to proactively defend IT and information assets


• Enforced/Unenforced

• Effective/Ineffective (Impractical)

• Intentionally bypassed/Unintentionally bypassed

Manage & Monitor Policies • Governance: Ability to control and understand who has access to what

• Provisioning/de-provisioning based on least privileges and separation of duties

• Automation to ensure policy enforcements


• Complete/Incomplete

• Practiced/not practiced


Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State

Disclosure of sensitive material

• Exists • Exists • Exists

• Unambiguous • Enforced • Complete

• Ignored • Effective• Practiced

• Unintentionally bypassed

Unauthorized access to sensitive material



• Ignored• Effective

• Practiced• Unintentionally bypassed

Unauthorized access to databases






Analysis of PossibilitiesEvent Category Policy State Enforcement State (IT Controls) Governance State

Disclosure of sensitive material

• Exists • Exists• Exists

• Unambiguous • Enforced• Complete

• Ignored • Effective• Practiced

• Unintentionally bypassed

Unauthorized access to sensitive material

• Exists • Exists• Exists




Unauthorized access to databases






Two Questions

1. Are the enforcements linked to the policies?

2. Do the system components function as a system?


Password Policy Example

Cannot be similar to user’s name Cannot be easily guessable Must be at least 12 characters in length Contains upper and lower case characters Contains at least one special character Contains at least one number Rotated every 90 days Cannot be re-used for 5 years

My current password:

“This1is2Hard!”


Passwords

Authentication tool that, when properly implemented, drives growth at the help desk


Balancing the Business

Usability

PerformanceSecurity

x


Practicing Good Cyber Security HygieneWe already know how to do this!

Defensible Systems– Integrated security controls

– Full stack instrumentation

– Establish and attest a secure environment

Resilient Systems– No SPOF: Fault tolerant, agile

– Graceful degradation

– Quickly recoverable

Containment– Isolation

– Virtualization

– Detect & response


Safety on Base:Using the Basics


Securing Today’s Enterprise InformationFocus on securing the operational environment transparently

Data

Security

Enforcement

Administrators

Users

Developers

1. User’s session establishes key factors for security decisions

2. Centralized decision point used for authorizations of tasks

3. Enforcement points can verify, validate and add context

4. Monitor for anomalous actions5. Audit critical actions


Concluding Points

Understand and secure human-data interactions

Need to know why you’re doing what you are doing– Approach & Principles

– Keep it simple, intuitive

New security is not based on users & roles but signatures, context & services

Security components should not be separated, disjoint from enforcement– Policies, enforcements, governance all have to work together.

Deny All; Allow Legitimate


Final, Final Concluding Points

Ready or Not– The perfect is the enemy of the good

– Need good perception and agility

Hiding in Plain Sight– The enemy may not be obvious

– You should not be obvious

Safe on Base– Know your digital economy

– Apply proven, natural and intuitive practices

Recursive

See Recursive
