The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum...
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum...
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You
Christopher Baum
Research Vice President
Global Government
NYSCIO Conference
July 13th 2005
Key Issues
What security threats are higher education institutions facing, and what are the trends?
What resources are institutions bringing to bear on the security challenge?
What principles should guide institutional IT security planning?
The Gartner/Chronicle of Higher Education IT Security Survey 2004/2005
Mail-based, US survey of Chronicle of Higher Ed subscribers, closed Nov 2004, Email Based EMEA/Australia survey closed May 2005
Topics: IT security organization, funding, attack/misuse incidence, technology, policy
US: 556 total respondents (138 CIOs used) Non-US 63 respondents (40 EMEA, 23
Australia)
Types of Attacks/Misuse Detected in the Past12 Months US Responses
No
3%
6%
7%
18%
24%
32%
38%
66%
77%
100%
Financial Fraud
Unauth Access Other Data
Unauth Access Student Data
Altered/vandalized Website
Ext Activity from Int Resources by Insiders
Ext Activity from Int Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Computer Theft
Virus/Trojan/Worm
Types of Attacks/Misuse Detected in the Past12 Months Non-US Responses
No
3%
5%
8%
22%
11%
17%
37%
59%
70%
95%
Financial Fraud
Unauth Access Other Data
Unauth Access Student Data
Altered/vandalized Website
Ext Activity from Int Resources by Insiders
Ext Activity from Int Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Computer Theft
Virus/Trojan/Worm
Change in Attack/Misuse Incidence Compared to Previous 12 Months US Responses
No
13%
26%
13%
16%
14%
15%
17%
19%
9%
75%
38%
70%
57%
50%
30%
31%
31%
52%
49%
17%
25%
50%
30%
17%
38%
53%
55%
53%
31%
33%
74%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Financial Fraud
Unauthorized Access to Other Data
Unauthorized Access to Stu Data
Altered/vandalized Website
Ext Activity from Internal Resources by Insiders
Ext Activity from Internal Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Laptop Theft
Desktop/Server Theft
Virus/Trojan/Worm
Fewer
Same
More
Change in Attack/Misuse Incidence Compared to Previous 12 Months Non-US Responses
No
33%
7%
14%
9%
7%
14%
27%
33%
25%
0%
67%
80%
71%
43%
64%
71%
43%
45%
50%
30%
100%
0%
20%
21%
43%
27%
22%
38%
27%
17%
45%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Financial Fraud
Unauthorized Access to Other Data
Unauthorized Access to Stu Data
Altered/vandalized Website
Ext Activity from Internal Resources by Insiders
Ext Activity from Internal Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Laptop Theft
Desktop/Server Theft
Virus/Trojan/Worm
Fewer
Same
More
US Responses: Calculated Financial Loss
No
50%
13%
10%
0%
0%
0%
2%
5%
58%
57%
8%
0% 10% 20% 30% 40% 50% 60% 70%
Financial Fraud
Unauthorized Access to Other Data
Unauthorized Access to Stu Data
Altered/vandalized Website
Ext Activity from Internal Resources by Insiders
Ext Activity from Internal Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Laptop Theft
Desktop/Server Theft
Virus/Trojan/Worm
Loss calculation favors “obvious” hard values--real
costs are going almost unmeasured
Non-US Responses: Calculated Financial Loss
No
100%
0%
20%
21%
43%
27%
22%
38%
27%
17%
45%
0% 20% 40% 60% 80% 100% 120%
Financial Fraud
Unauthorized Access to Other Data
Unauthorized Access to Stu Data
Altered/vandalized Website
Ext Activity from Internal Resources by Insiders
Ext Activity from Internal Resources by Outsiders
System Penetration/compromise
Denial of Service Attack
Laptop Theft
Desktop/Server Theft
Virus/Trojan/Worm
US Percentage of IT Budget Spent on Security
Current FY Mean: 6.24%
1%
42%
57%
Percentage compared to previous fiscal year
IncreasedSame
Decreased
Non-US Percentage of IT Budget Spent on Security
Current FY Mean: 4.78%
10%
43%
47%
Percentage compared to previous fiscal year
IncreasedSame
Decreased
US Information Security Officer: Status and Plans
Has institution designated an ISO?
If not, plan to designate one within 12 months?
YesNo
65%
No
Yes
Don’t Know
75%
12%
30%
70%
13%
Yes No No
Don’t Know
Yes
NoYes
Non-US Information Security Officer: Status and Plans
Has institution designated an ISO?
If not, plan to designate one within 12 months?
YesNo
65%
No
Yes
Don’t Know
80%
10%
35%
65%
10%
Yes No No
Don’t Know
Yes
US Security Planning & Training
41%
58%
1%
78%
22%
30%
69%
1%
YesNo
Don’t Know
Don’t Know
Yes
Yes
No
No
Have a formal IT Security Plan?
Plan to resume mission-critical
operations during crisis?
Offer security awareness training?
Non-US Security Planning & Training
54%
46%
81%
19%
81%
19%
YesNo
Don’t Know
Don’t Know
Yes
Yes
No
No
Have a formal IT Security Plan?
Plan to resume mission-critical
operations during crisis?
Offer security awareness training?
US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis
0 10 20 30 40 50
>Once a Month
Once a Month
Once Every 2-3 Months
Once a Semester
Once a Year
Not Been Tested
Non-US: Frequency of Testing Plan to Resume The Operation of Mission-Critical Information Systems and Protect Related Data During a Crisis
0 10 20 30 40 50
>Once a Month
Once a Month
Once Every 2-3 Months
Once a Semester
Once a Year
Not Been Tested
CISOCIOCIO
Policy Management Policies and standards Risk assessment/profiling Policy compliance and consulting Awareness training Business security architecture Intellectual property managementSecurity Administration Platform/application user management
Security Engineering Minimum platform standards Technical security architecture
Incident Response ID threat + solution
BISO
PresidentPresident
Business/Academic Unit Management
Expertise in Practice: CISO Organisation
Board of TrusteesBoard of Trustees
0
10
20
30
40
50
60
70
80
Mandatory Optional Not Available
Faculty
Staff
Students
US Anti-Viral Software:
Mandatory, Optional, Not Available
0
10
20
30
40
50
60
70
80
Mandatory Optional Not Available
Faculty
Staff
Students
Non-US Anti-Viral Software:
Mandatory, Optional, Not Available
0
10
20
30
40
50
60
70
80
Mandatory Optional Not Available
Faculty
Staff
Students
US: VPN for Remote Access: Mandatory vs Optional
0
10
20
30
40
50
60
70
80
Mandatory Optional Not Available
Faculty
Staff
Students
Non-US: VPN for Remote Access: Mandatory vs Optional
0
10
20
30
40
50
60
70
Mandatory Optional Not Available
Faculty
Staff
Students
US: Personal Firewall: Mandatory, Optional or Not Available
0
10
20
30
40
50
60
70
80
Mandatory Optional Not Available
Faculty
Staff
Students
Non-US: Personal Firewall: Mandatory, Optional or Not Available
Policy and Training
Security policies need to be concise, clear, role-based and enforceable– Nontech user issues: acceptable use, privacy, business
continuity
– Tech staff: privileged access & ethical statement, PW management, change management, role
– A policy that isn’t signed can’t be enforced
Focus security training on network and system administrator
Create a security culture
Defense in Depth in Practice: Scan and Block
Scan Good: Allow Connect
Scan Bad: Block
Home PC
Corporate Laptop
Contractor Laptop
VPN
SwitchRadius Server
DHCP Server
Policy Server
Scan Results
Scan Results
Scan Results
Vulnerability Management Technologies
Baseline/Discover
Audit and Policy Compliance Tools
Security Management
Monitor
Network System
Application
Vulnerability Assessment
External Threat
Services
Prioritize Asset
Inventory andClassification
Patch Install
Mitigate Mitigation Workflow
Shielding
Provisioning
Configuration Management
Maintain
Firewall IPS Scan and Block
Understanding the Environment
Environ-mentalTrends
Environ-mentalTrends
Forces in the universe
Trace the Value
BusinessDrivers
BusinessDrivers How they affect your organization
BusinessBusinessStrategiesStrategies
and Tacticsand Tactics
BusinessBusinessStrategiesStrategies
and Tacticsand Tactics How you react
What, who, when, how
InformationRequire-
ments
InformationRequire-
ments
“Thou shalt...”Architecture
DesignPrinciples
ArchitectureDesign
Principles
Businessand
TechnologyArchitecture
Businessand
TechnologyArchitecture
Understanding the Environment
Environ-mentalTrends
Environ-mentalTrends
How you react
What, who, when, how
“Thou shalt...”Trace the Value
InformationRequire-
ments
InformationRequire-
ments
BusinessDrivers
BusinessDrivers
BusinessStrategies
and Tactics
BusinessStrategies
and Tactics
ArchitectureDesign
Principles
ArchitectureDesign
Principles
Forces on your organization
How you react
Businessand
TechnologyArchitecture
Businessand
TechnologyArchitecture
What do we know?What do we know?What do we need?What do we need?
Where do we get it?Where do we get it?Where does itWhere does itneed to be?need to be?
When does it needWhen does it needto be there?to be there?Who shouldWho shouldnot see it?not see it?
PeoplePeopleSystemsSystems
ProcessesProcessesDataData
INFORMATIONINFORMATIONREQUIREMENTSREQUIREMENTS
A New World
Variably Connected,
Variably Secure: Dimensions
Connectedness
Connection State
Disconnected
Occasionally Connected
Occasionally Disconnected
Connected with Dropouts
Connected
Throughput
Low
High
Bursty
Security
EnvironmentContained
Constrained
Urgency
Information
Source
Authenticity
Non reputability
Time Sensitivity
Confidentiality
Business Rules
DeviceIdentity
Trustworthiness
Agent
Identity
Trustworthiness
Role
Responsibility
Privilege
Seven Guiding Principles of IT Security Defense in Depth
– Combine proactive & reactive mechanisms
Principle of Least Privilege
– Users, processes, & resources get minimum necessary access
The Weakest Link
– Train against social engineering
Security Expertise is Key
– Establish a CISO office; mix central policy w. distributed implementation
Build Security in Early
– The earlier a defect is found, the cheaper it is to fix
Be Paranoid
– Don’t just build for legitimate or “correct” usage
Simplify, Simplify, Simplify
– Simpler systems are easier to deploy, manage, & maintain