180 likes | 429 Views
Being a CISO. Or, How to Spend Your Weekends…. Fall 2007. Agenda. General Overview of the CISO Arena Technical Security Information Security Strategic Security Kirk Bailey – CISO, UW Ernie Hayden – CISO, Port of Seattle Q & A. SECURITY PROFESSION EXPERTISE LEVELS. Technology Security.
E N D
Being a CISO Or, How to Spend Your Weekends… Fall 2007
Agenda • General Overview of the CISO Arena • Technical Security • Information Security • Strategic Security • Kirk Bailey – CISO, UW • Ernie Hayden – CISO, Port of Seattle • Q & A
SECURITY PROFESSION EXPERTISE LEVELS Technology Security Information Security Strategic Security • Risk Management • Business Continuity / Disaster Planning • Intellectual Property • Business / Financial Integrity • Regulatory Compliance • Industrial Espionage • Privacy • Forensics & Investigations • Terrorism & CyberCrime • Regional Interests (Including Cyber and Natural Disasters) • Nation State Interests • Intelligence • Professional Alliances • Politics • Strategies and Tactics • Firewalls • Intrusion Detection • Network Security • Viruses, Worms, Crimeware • System Hardening • Encryption • Engineering Technology Problems BusinessProblems Critical Security Problems R E S E A R C H Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden
rippers WHY “STRATEGIC SECURITY” It is not pretty out there…
Troubling Realities . . . . . . . . . . . . . . 41,000,000 of ‘em out there! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dan Geer Chief ScientistVerdasys “In the world of networked computers every sociopath is you neighbor.” .
Cyber Attack SophisticationContinues To Evolve Source: CERT 2004 Cross site scripting bots High “stealth” / advanced scanning techniques Intruder Knowledge Stagedattack packet spoofing denial of service distributed attack tools sniffers Tools sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries exploiting known vulnerabilities password cracking Attack Sophistication self-replicating code Attackers Technical Skills password guessing Low 1980 2000+ 1985 1990 1995
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Species 8472 . . . . . . . . . . . . . . . . . . RESISTANCE IS FUTILE. PREPARE TO BE ASSIMULATED? . . . . . . . .
Cybercrime and Money… • McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”
Symantec Internet Security Threat Report • Threat landscape is more dynamic than ever • Attackers rapidly adapting new techniques and strategies to circumvent new security measures • Today’s Threat Landscape.. • Increased professionalism and commercialization of malicious activities • Threats tailored for specific regions • Increasing numbers of multi-staged attacks • Attackers targeting victims by first exploiting trusted entities • Convergence of attack methods
Kirk Bailey, CISSP, CISM • Objectives (Confidentiality, Availability, Integrity) • Intelligence • Trusted Alliances • Innovative Thinking • Risk Management (Liability Protection) • Compliance Challenges • Contractual • Statutory & Regulatory • Industry Standards
Ernie Hayden, CISSP • Key Functions: • Information & Computer Security • Business Continuity/Continuity of Operations (COOP)/ Disaster Recovery Planning • Privacy • Critical Infrastructure Protection Policy • Emergency Communications
A Sampling of Projects • Technology Issues • VOIP Security • Web Application Security • Employee Awareness • Monthly Brownbags • Secure Coding – Web Development • Home PC Security Training • BCP/DRP • Incident Response Procedure • IT Disaster Recovery Policy • Drills, Tabletops • NIMS & ICS • Emergency Communications • SendWordNow • WebEOC - Emergency Operations Center Visualization Tool • Administration • Budgets • Audits (e.g., Deloitte/State) • Policies & Procedures • Appropriate Use – Update/Revision • Security Policy - General • Cell Phone Disposal • RCW 19.255 Response • Security Management • Security Strategy • Top 10 List • Metrics, Dashboard • Security Governance • Security Domain Architecture • Committees • Architecture Management Board • Corporate Security Council • Change Management Board
Strategic Security Plan Elements • Organization & Authority Controls • Policy • Risk Management Program • Intelligence Program • Audit & Compliance Program • Privacy Program • Incident Management • Education & Awareness Program • Operational Management • Technical Security & Access Controls • Monitoring, Measurement & Reporting • Physical & Environmental Security • Asset Identification & Classification • Employee & Related Account Management Practices
What Do You Think? • Prioritize this task/response list: • Key Application Vendor Contract Review • 100’s of Incoming Spam Complaints • Forensic Report on New Rootkit Compromises (30 machines) • Patch Management Process Concerns • Email Service Interruptions • New Credit Card Processing System for Husky Stadium Requires CISO Approval • Electronic Harassment of an Employee HELP!
Thoughts… • The CISO of the future is the one who can run the risk-management organization. • The days of security being handled by the 'network person' who did security in their spare time are over and increasingly we are seeing seasoned professionals with real business experience and business school qualifications stepping into the security space. ? Quotes by Paul Proctor
SECURITY PROFESSION EXPERTISE LEVELS Technology Security Information Security Strategic Security • Risk Management • Business Continuity / Disaster Planning • Intellectual Property • Business / Financial Integrity • Regulatory Compliance • Industrial Espionage • Privacy • Forensics & Investigations • Terrorism & CyberCrime • Regional Interests (Including Cyber and Natural Disasters) • Nation State Interests • Intelligence • Professional Alliances • Politics • Strategies and Tactics • Firewalls • Intrusion Detection • Network Security • Viruses, Worms, Crimeware • System Hardening • Encryption • Engineering Technology Problems BusinessProblems Critical Security Problems R E S E A R C H Chart Based on Forrester, April 2005 And Enhanced/Modified by Kirk Bailey and Ernie Hayden
Kirk Bailey, CISSP, CISM CISO, University of Washington 206-685-5475 kirkb01@u.washington.edu Ernie Hayden, CISSP CISO / Manager Enterprise Information Security Port of Seattle 2711 Alaskan Way Seattle, WA 98121 206-728-3460 Hayden.e@portseattle.org THANKS!!