240 likes | 366 Views
Electronic Risk Management, No Finish Line: A Talk for CTOs. John Ellis Executive Director of Information Technology Services The College of Saint Rose. The “Incident”. Initial Responses. Shut down and/or lock down systems Change system passwords
E N D
Electronic Risk Management, No Finish Line: A Talk for CTOs John Ellis Executive Director of Information Technology Services The College of Saint Rose
Initial Responses • Shut down and/or lock down systems • Change system passwords • Involve local police department & the FBI • Conduct forensic analysis • Try to figure out exactly what the hell happened
Initial Consequences • Report to the President’s Cabinet • Report t the Board of Trustees • Embarrassment • Paranoia • Feeling of being “violated” • Feeling of vulnerability
Considerations • Avoiding the blame game • Negative publicity • Damage to reputation • Learn from our mistakes • How to prevent this from happening again
Keeping the “Incident” from Happening Again • Contracted with a Cyber Security Company • Increased scrutiny of cyber/data security issues • Increased end user education • Information Security Audit • ITS did not know if, when or how this would occur • We wanted it to be as realistic as possible
The Good Guy “Attack” • Penetration Tests • Attempts to hack into our various systems • Attempts to connect to our wired & wireless networks • Social Engineering • Studied our “public” information • Web site • Employee directories • Pretended to be Help Desk Technician • asked for and got passwords • Pretended to be electrician • installed keystroke logger • Talked a janitor into letting them into our NOC
The Results - Strengths: • Physical Security – Physical and Environmental Security met with the highest consistency from a control area perspective. Handling of hazardous materials, physical security of facilities, utilities management and facilities planning and management all produced favorable findings. • Compliance – Findings regarding compliance were positive. The organization’s understanding of compliance requirements, empowerment of management, delegation of responsibilities and accountability and appropriate protection of Intellectual Property were all cited favorably. • Guard Orders – Guard orders were clear, consistent and complete. Definitions of commonly used terms were clear and easy to find. Coordination of efforts with law enforcement, activities involving monitoring with Closed Circuit Television (CCTV) and recovery of missing children were consistent with guidance provided by law enforcement agencies. Revisions of documents were clearly marked, along with references, purpose and policy.
The Results - Weaknesses: • Documentation– The assessment revealed a lack of documentation across all practices, departments and control areas. Inadequacies ranged from missing operational documentation, such as Configuration Management baselines, to incomplete or missing formal policies and procedures. This deficiency led to inconsistencies in terms, application and definitions of security – from one person to the next, one day to the next or one situation to the next. • Data Classification – While the practice of identifying sensitive information and assets appeared to be present, a formal, documented system of classification was not. Understanding the criticality of an organization’s assets is a cornerstone of good security, applying it consistently requires rigor that only a formal policy, documentation and framework can bring. The classification system can then be applied effectively through security controls that are merely the extension of the classification system itself. • Data Leakage – In today’s world, it is not enough to simply prevent intrusions. It is also important to consider the exfiltration of sensitive data. The security controls currently in place, while potentially effective in their roles, do little to deter, prevent, detect or correct the loss of information assets. • Security Awareness Training – In most cases, people are an organization’s greatest weakness. In nearly every case, people can be trained to be an organization’s greatest strength. Continuous, relevant, current and effective training is not only an effective security measure, but also required for various compliance mandates. • Business Continuity Planning – With deficiencies in ownership, planning, documentation and testing, Business Continuity Planning met with the largest gaps in consistency from a control area perspective.
Most Significant Weakness • The human element • We are expected to be helpful • We are too trusting • We like to empower our end users • We (ITS) are hesitant to inhibit productivity • We can be lazy
Risk Management Matrix We examined over 230 separate potential vulnerabilities in excruciating detail! Based on the Information technology — Security techniques — Code of practice for information security management BS ISO/IEC 27002:2005 BS 7799-1:2005
But there really is no “End” • Cyber Security is an ongoing effort • The bad guys keep getting better • Their tactics constantly change • Technology introduces new vulnerabilities • Bring your Own Devices (BYOD) • Ubiquitous wireless connectivity • Increasingly web based world • Converged technologies • Converged work & home worlds