Chuan weihoo_IISF2011

14
Click to edit Master title style © Copyright 1989 2011, (ISC) 2 All Rights Reserved © Copyright 1989 2011, (ISC) 2 All Rights Reserved Critical Infrastructure Protection (CIP) Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE Volunteer Speaker,(ISC)² SecurityArchitect at Business Continuity & Security Governance,BritishTelecom Global Services www.isc2.org #IISF2011

description

 

Transcript of Chuan weihoo_IISF2011

Page 1: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Critical Infrastructure Protection (CIP)

Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE

Volunteer Speaker, (ISC)²

Security Architect at Business Continuity & Security

Governance, British Telecom Global Services www.isc2.org

#IISF2011

Page 2: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Agenda

• Introduction

• Current State Of Play

• Back To Basics

• Practical Approach

• Minimum Controls

• Q & A

#IISF2011

Page 3: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

CIP – Introduction*

Entertaining, funny or scary ??? * Source from Youtube.com

#IISF2011

Page 4: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Current State Of Play – Recent Failures

#IISF2011

Page 5: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Current State Of Play – Past Failures

Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character -

Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was

suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted

for his job.

Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off

the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras.

With the power gone, the dinosaurs began escaping from their pens and started killing people.

#IISF2011

Page 6: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

…Possible causes

• Lack of segregation of duties?

• Complacency? …contended self-satisfaction

• Lack of visibility?

• Lack of privileged access management?

• Single-point-of-failure (SPOF)

• Ineffective patch management?

#IISF2011

Page 7: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Back To Basics

• CIP

– The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc)

– Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, or facility-based processes.

#IISF2011

Page 8: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Practical Approach

• “Outside-in” versus “Inside-out”

Asset

Physical

Logical

Procedural

Technology Asset (sub-

components)

Physical

Logical

Procedural

Technology

#IISF2011

Page 9: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Outside-in

• Explore all possible threats to the asset; no breakdown of the asset

• Access the potential impact and likelihood of each threat

• Determine the mitigating control to each threat

• Design and build the controls for protection

Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats.

#IISF2011

Page 10: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Inside-out

• Identify the asset; classification and categorization

• Explore all possible threats to each categorization

• Access the potential impact and likelihood of each threat

• Determine the mitigating control to each threat

• Design and build the controls for protection

Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach.

#IISF2011

Page 11: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Minimum Controls

• Executive management support

• Thorough understanding/knowledge

– Business

– IT (full inventory - everything)

– Operations (supported by IT)

• Regular comprehensive review

– Identify SPOF

• Continuous self assessment

– Applicable control for tomorrow’s threats

#IISF2011

Page 12: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

…Management wise

• So what should we do?

– Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people)

– Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR)

– Acquire the necessary training (training, certification)

– Define detail SOP (framework, standards e.g. ISO/IEC27001:2005)

– Governance review committee (you chair the committee, using reference from a reputable source)

– Put in measurements (measureable):

• Key risk indicators

• Key performance indicators

#IISF2011

Page 13: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

• There’s no silver bullet to the problem, only mitigating controls to minimize the risk.

• Know where are your asset; information & infrastructure

(was and is).

• Review and enhance your existing design and plans.

• Review and enhance your existing controls to protect your information asset.

• Continue to educate the end-users and raise awareness

(most critical).

Key Messages

#IISF2011

Page 14: Chuan weihoo_IISF2011

Click to edit Master title style

© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved

Thank you!

#IISF2011