Tag Archives: Scope

Integrating Security with Asset management Part 1

Summary:

  • First in a sequence of blogs which will outline how to implement security measures with business support.
  • Know what you know and investigate what you don’t know
  • Leverage existing systems but apply some intelligence to achieve security goals
  • Refine by identifying the weaknesses, fix the weaknesses and monitor for improvements.

Simple question: Can you tell me right now, who has disabled their AV?

It’s amazing to find the number of organisations that would not be able to give you an answer to that.

‘You cannot protect what you can’t see’

Consider these scenarios:

  • decentralised procurement/budgets, leading to authorised/unauthorised purchases such as a computer, for one reason or another, the asset is not tracked in the asset register, computer is compromised, leading to security issue.
  • staff connect a custom built system to the network, system gets infected, causes issues on the network, leading to security issue.

I’ve been an advocate of having asset management as part of a security function for quite some time, it may not be managed by the security team but the security team could and should have some input and exposure. Reasoning behind this stem from the implementation of the SANS 20 Critical Security Controls.

The first control is to create an Inventory of Authorised and Unauthorised Devices

http://www.sans.org/critical-security-controls/control/1

The win is that you know what to protect within your organisation, providing the availability of statistics. As mentioned, statistics then can be used for a lot of things: metrics, milestones, forecasting, planning, KPIs, etc.

Remember, before any system is implemented, it is important to note that business support and approval must be obtained otherwise the project will be doomed for failure.

No matter how good your asset management is, you will get rogue purchases, staff circumventing the system. This is where planning, policy and processes are required to stop the leaks.

Not everything has a technological solution, in fact, planning/strategy, policies, procedures and guidelines help drive the technology selection process for an organisation.

Planning/strategy allow for the right decisions to be made so that the company infrastructure can be designed to support the organisation. This also provides uniformity to a common goal for all staff.
Policies are required to steer procurement decisions for the organisation and also used to curb deviations from the corporate norm. (for procurement and delinquent departments)
Standards are defined to ensure alignment with the policies for procurement, IT and all staff. As mentioned, standards are also there for system identification
Guidelines assist planners by outlining what could be used within an environment

With this in place, the laws of the land is set out and referred to by all.

A good resource for policy creation is the SANS Security Policy Project:
http://www.sans.org/security-resources/policies/

The primer is a good read.

Having these in place will help reduce the number of ‘rogue’ devices within the organisation as well as set the framework for a solid asset management system.

The importance of strategy, metrics and KPIs

Summary:

  • Security has always been and will continue to be a moving target
  • Information Security has always been and will continue to be a fast moving target
  • Doing ‘security by audit’ only fail. Security strategies are required to adapt to new threats.
  • Strategy, metrics and KPIs must be available and flexible enough to adapt to changes in the business

There are people out there that may remember this:
Centralised computing (Mainframes)->Client/server computing->Centralised¬† computing(Data centres/virtualisation)->Decentralised computing(Cloud)…

During each stage, information has shifted back and forth between computing models and business boundaries.

What has always been at the core is the ability for any Information Security discipline to identify and secure this information where ever it may be.

There are organisations that are at the cutting edge and there are some that still use mainframes.

If the organisation’s security strategy is to ensure that all systems are behind a perimeter but yet, data is in a 3rd party cloud, the strategy is destined to fail.

This is one the reason why organisations only doing ‘security by checkbox’ continue to get compromised. Iterations of audits/standards must consider change in order to keep pace with the current threat environment. Ticking checkboxes can only provide you with a *baseline* level of security.

Security gaps appear between the last checkbox review and new developments from the adversary.

Strategy or to be precise, Information security strategy is designed to ensure that information remain secure, agnostic of business/computing model.

Strategy should consider and respect the basic security tenets: CIA triad, need to know, data at rest/transit, etc…

Metrics are used to gauge what the current state of play is. Nothing complex, just plain and simple information. Items of interest include: computing equipment, applications, data and associated classifications, etc.

KPIs are used to ensure that any program being implemented meet or exceed the intended level of protection. eg: ‘Strength’ of countermeasure, level of compliance, effectiveness/penetration of policy, etc. This is continuously reviewed based on the security strategy/scope, ie: strategy/scope changes the KPI changes.

As a specific working example (don’t implement to this level of detail, it should be from a higher level)

  • Strategy: ensure that the passwords remain secure and only accessible to me and another person, passwords are to be kept in a centralised location and not transmitted over the wire, etc…
  • Metrics: Who has accessed it? How many times has it been accessed? Number of attempted breaches? Number of successful breaches? etc
  • KPI: Has there been any attempts to gain unauthorised access to the passwords? How long did it take for the breach to be reported? Was it handled promptly and closed?

Without the above, adapting security to a changing environment is an extremely difficult task.

What makes for a well oiled security strategy

Summary:

  • CIOs/CISOs need to be able to determine and provide a unified communication strategy to other CxOs and staff outlining what needs to be protected, risks associated and how to mitigate these risks.
  • Security efficiency is achieved by integrating as much as possible as normal business functions.
  • To measure the effectiveness of any security program, it must be measurable
  • Scope, timing, statistics and integration is required.

As all good security conscious organisations, you have security policies, security software, procedures, etc is all well and good but how effective is it?

Coming from an incident response/project management background every task is quantified hence (aim), scope, timing and statistics/metrics are extremely important. Integration is to ensure that there is no disjoin between the business and security functions, this also avoids missing out/overlooking security tasks.

The CIO/CISO is steering the security ship, communicate to other C level executives and get their support to communicate to other staff.

Aim needs no introduction, for completeness, the aim is to protect the organisation’s assets by identifying risk against the assets and developing measurable strategies to ensure that the exposure is reduced in the shortest period of time.

  • To understand the impact of the situation and to reduce resource utilization in critical situations, scope is very important,¬†what assets are you trying to save/protect? Prioritise what is critical to the business. This also has the added benefit of getting everyone on the same page by knowing that information staff handle should also be protected accordingly.
  • Timing is critical. Timing is used to test how long it takes before a threat is detected, to see how long it takes to break into a system, time to immobilise incident response teams, to neutralize any threat, determining resourcing consumption/availability, etc.
  • Statistics/metrics is used throughout to determine if a response has a positive effect, milestones are used to determine when to stop neutralising a threat and assist with the next course of action, mark how far a system has been compromised before detection, etc.
  • Finally, much of this should be integrated/embedded into the business ideally through an existing business function. Functions such as system life cycle management, asset management, incident reporting, etc.

If we relate this to a racing team we have the following:

  • Aim: to win the race
  • Scope: only dealing with cars and not trucks etc, prioritise on improving the performance of the car, provide constructive feedback to the driver, etc…also each discreet unit perform a well defined, unique task
  • Timing: it’s a race, quickest team wins, how long each component/process/team is taking
  • Statistics: How fast is fast? How do you know you’ve improved? Where can you improve?
  • Integration: This is what makes the team, every discreet unit works together with a common goal.

What is the end result:

  • business intelligence gained from this can be applied to other disciplines eg: strategy/planning, project management, forecasting/projections, etc thus delivering tangible benefits to the organization
  • business agility can be achieved as changes can be implemented quickly and effectively
  • risk assessment/planning
  • from a security point of view, security visibility will improve, anomalies would be easier to detect, posture is easier to assess, improved delivering simplicity when performing security functions

In the upcoming blogs, we discuss a working example where this can be integrated.

Defining Security Scope: Another way of saying ‘know thy enemy’

You cannot protect what you can’t see

Summary:

  • Know your assets and threats based on industry, size, image, political, social factors, etc.
  • Conduct high level identification and assessment of the threats
  • Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business

Without knowing your assets and understanding the threats against your assets it is extremely  difficult if not impossible to protect your environment.

Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.

Each industry has its specific threats and they range from amateurish to well-funded nation states.

There are models available to help map out what threats your organisation could potentially face.

The areas to consider are:

  • Industry-Is it a high competition industry
  • Size-How large is the organisation?
  • Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
  • Political-do political events affect the organisation?
  • Social-Is the organisation operating in an environment where social tensions work against the organisation?

etc..

Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.

To put it into perspective, your corner store is probably not going to be targeted by a nation state.

However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.

For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.

Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.

By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.

Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.