Reducing Real Risk in the Cyber World - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Reducing Real Risk in the Cyber World

Description:

... CIS benchmarks for its Cardholder Information Security Program's Digital Dozen ... Share your knowledge - Work with the user community for everyone's benefit the ... – PowerPoint PPT presentation

Number of Views:236
Avg rating:3.0/5.0
Slides: 44
Provided by: clin74
Category:
Tags: cyber | real | reducing | risk | world

less

Transcript and Presenter's Notes

Title: Reducing Real Risk in the Cyber World


1
  • Reducing Real Risk in the Cyber World
  • or
  • STOP THE BLEEDING FIRST!!
  • Franklin S. Reeder
  • reeder_at_bellatlantic.net

2
Affiliations and disclaimers
  • Information System Security and Privacy Advisory
    Board http//csrc.nist.gov/csspab
  • Center for Internet Security www.CISecurity.org
  • Personal

3
Managers are frustrated about how to manage
security
  • What do I need to do?
  • How much is enough?
  • Who can I trust?
  • How can I resolve the conflicting advice Im
    receiving from the experts?
  • How can I get beyond what seems like a cycle of
    futility?

4
Security staff is frustrated
  • All management wants is operational performance
    and convenience
  • People dont understand the inherent tension
    between security and usability
  • Management is reinforcing the wrong psychology
  • Vendor security defaults are useless
  • Staff time is consumed with installing patches
    and investigating intrusions

5
Everyone is frustrated
  • About how to deal with a problem of global scope
    in a world focused on narrow competitive
    self-interest

6
To make it worse, we have met the enemy, and it
is us
  • Through 2005, 90 percent of cyber attacks will
    continue to exploit known security flaws for
    which a patch is available or a preventive
    measure known.
  • Gartner Group, May 6, 2002

7
Whats the problem? Plenty of standards are
available
  • ISO 17799
  • COBIT from ISACA
  • SysTrust, WebTrust from AICPA
  • FISCAM from GAO
  • Principles and Practices for Security of IT
    Systems from NIST
  • Standard of Good Practice from ISF

8
The devil is in the granular details that these
standards dont address
9
Redefining the risk management paradigm
10
Are we facing a cyber Pearl Harbor? Probably not
  • More like a hurricane (s)
  • Localized
  • Potentially intense
  • Affecting a community not necessarily defined by
    geography

11
The old approach
  • Zero-based risk assessments
  • Identified
  • Vulnerabilities
  • Threats
  • Probabilities

12
A new way of approaching risk
  • Vulnerability-based
  • Recognizes
  • Common risks
  • Shared or community risks

13
A new vocabulary
  • Common risks exposures that everyone who
    operates a particular technology incurs
  • Shared risks damage that you can inflict on
    others as a result of vulnerabilities in your
    systems and vice versa

14
The simple message
  • You dont have to do a zero-based risk assessment
    to know that you should deal with common and
    shared risks

15
Stop the BLEEDING first
16
What are the business drivers
  • In the private sector
  • Tort liability
  • Insurability
  • Reputational risk
  • Financial exposure
  • In the public sector
  • Mission
  • Political risk/public confidence

17
Emerging
  • A new notion of due care

18
The Center for Internet Security (CIS)
  • Formed in October 2000
  • A not-for-profit membership consortium of users
  • No commercial self interest
  • Focused on the common needs of the global
    Internet community
  • Knowledge transfer from haves to have-nots
  • Prevent undue influence by commercial vendors
  • Convene and facilitate consensus on detailed
    operational best practices
  • Modeled after other community initiatives, e.g.,
    transportation safety

19
Responding to the challenge
  • Need to develop and proliferate detailed
    operational best practices
  • The only true solution is to raise the bar
    everywhere--globally
  • Private sector wont trust govt to do it
  • Private sector companies dont trust each other
    because of competitive self-interest

20
Some of the participants in the consensus effort
  • Government
  • National Institute of Standards and Technology
  • Infocomm DevelopmentAuthority of Singapore
  • Naval Surface Warfare Center
  • US Treasury Financial Management Service
  • Washington State Dept. of Health
  • US Army Corps of Engineers
  • Defense Info Sys Agency
  • Federal Reserve System
  • NASA
  • Australian Natl Audit Ofc
  • US Dept of Justice
  • Library of Congress
  • Royal Canadian Mounted Police
  • Communications Security Establishment (Canada)
  • Canadian CERT
  • GSA
  • NSA
  • FBI/NIPC
  • FedCIRC
  • State of Maryland

21
Participants (contd)
  • Allegheny Energy
  • Baltimore Gas Electric
  • Pitney Bowes
  • Component Graphics
  • eScout.com
  • Emprise Technologies
  • REDW Technologies
  • Educational Testing Svc.
  • Financial Models Co.
  • Agilent Technologies
  • Shell Info. Tech. Intl
  • PeopleSoft
  • News Corporation
  • Commercial
  • Eastman Kodak
  • Pacific Gas Electric
  • SASKTel
  • Lucent Technologies
  • LGE Energy
  • Hallmark
  • Chevron
  • Intel
  • Vulcan Materials
  • Mrs. Smiths Bakeries
  • Caterpillar
  • Intuit
  • NCR

22
More (contd)
  • Finance/Insurance/Healthcare
  • VISA
  • Allstate
  • First Union Corporation
  • Natl Life Assurance Co of Canada
  • U.S. Central Credit Union
  • Union Bank of California
  • City National Bank (LA)
  • Baylor College of Medicine
  • Swiss Reinsurance Co (SwissRe)
  • Consulting/Service
  • Permeo Technologies
  • WorldPort (Ireland)
  • Guardent
  • Procinct Security
  • Server Vault
  • Grant Thornton
  • Integralis Ltd (England)
  • Solutionary
  • Polivec

23
More (contd)
  • Universities
  • Institute for Security Technology Studies at
    Dartmouth
  • Virginia Tech
  • Monash University (Australia)
  • University of Alabama at Birmingham
  • University of Missouri
  • Blenkinge Inst. of Technology (Sweden)
  • Utah State University
  • University of California, SF
  • New York University
  • Consulting/Service
  • PricewaterhouseCoopers
  • Deloitte Touche
  • ISS
  • Symantec
  • BindView
  • Harris
  • NetIQ
  • VIGILANTe
  • SecureNet Solutions
  • Computer Sciences Corp.

24
Auditing Participants
  • Information Systems Audit and Control Association
    (ISACA)
  • American Institute of Certified Public
    Accountants (AICPA)
  • Institute of Internal Auditors (IIA)

25
The consensus process
  • Focus on real world user needs
  • Form a team for each environment
  • Dedicated email dialogue
  • Conference calls
  • Start with whatever best practice guidelines are
    available
  • Refine via discussion revise until consensus is
    reached
  • Produce a benchmark and a scoring tool
  • Make them available free to everyone

26
What has collaboration achieved so far?
27
Currently available
  • Level I Configuration Benchmarks
  • Solaris
  • Linux
  • HP-UX
  • Windows NT
  • Windows 2000
  • Cisco Router IOS

28
Solaris 3.17 Turn on inetd tracing, or
disable inetd if possible Action cd
/etc/init.d if s /etc/inet/inetd.conf
then awk '/\/usr\/sbin\/inetd/ \ 1
"/usr/sbin/inetd -t" print ' inetsvc
gtnewinetsvc else rm f /etc/inetd.conf
/etc/inet/inetd.conf awk '/\/usr\/sbin\/inetd/
\ 1 "/usr/sbin/inetd -t" print '
inetsvc gtnewinetsvc fi chown rootsys
newinetsvc chmod 744 newinetsvc rm f
/etc/rc2.d/S72inetsvc ln s /etc/init.d/newinetsvc
/etc/rc2.d/S72inetsvc Discussion If the actions
in Section 2 of this benchmark resulted in no
services being enabled in /etc/inet/inetd.conf,
then we may as well disable the inetd service
completely on this system. In any event, it is a
good idea to make use of the "tracing" (-t)
feature of the Solaris inetd that logs
information about the source of any network
connections seen by the daemon. This information
is logged via Syslog and the administrator must
specifically configure the system to capture this
information (see Item 5.2 below).
29
A Level I Benchmark
  • Can be implemented by a sysadmin of any level of
    security expertise
  • Can be monitored by a compliance tool
  • Is not likely to break any function
  • Represents a baseline level of security

30
Currently available
  • Gold Standard Benchmarks
  • W2K Professional Level II
  • W2K Server Level II
  • CISCO Router IOS Level I/II
  • Solaris Level I

31
Currently available
  • Configuration Scoring Tools
  • Solaris
  • Linux
  • HP-UX
  • Windows NT
  • Windows 2000 Server
  • Windows 2000 Professional
  • Cisco Router IOS

32
(No Transcript)
33
Under development
  • Benchmarks and Scoring Tools for
  • Apache
  • Windows IIS
  • Catalyst Switches
  • PIX Firewall
  • Check Point FW-1
  • Windows NT Gold Standard
  • Oracle
  • SQL Server
  • Juniper Router

34
Coming later
  • Applications
  • Appliances

35
Remember this quote?
  • Through 2005, 90 percent of cyber attacks will
    continue to exploit known security flaws for
    which a patch is available or a preventive
    measure known.
  • Gartner Group, May 6, 2002

36
The good news Research concludes that 80-90 of
known vulnerabilities are blocked by the security
settings in the consensus benchmarks. There is
an abundance of low-hanging fruit we all can pick
to substantially reduce our risk of unauthorized
intrusion.
37
Research methodology
  • (1) Scan a system out of the box and list
    identified vulnerabilities
  • (2) Configure the system with the appropriate
    benchmark
  • (3) Rescan the system and note the
    vulnerabilities remaining

38
This case Study is available at www.cisecurity.org
39
Another study (NSA)
Reduction 96 90 50
91
40
  • Yet another study (Mitre)
  • Windows 2000 Professional Gold Standard
    configuration reduced CVE vulnerabilities by 83

41
IA Newsletter describing the NSA and Mitre studies
  • Vol 5, Number 3, Fall 2002
  • http//iac.dtic.mil/iatac/news_events/ia_newslette
    r.htm

42
Encouraging signs
  • Federal govt adoption of CIS benchmarks and
    tools
  • VISA adoption of CIS benchmarks for its
    Cardholder Information Security Programs Digital
    Dozen
  • Progress at the vendor level
  • Dell
  • Microsoft

43
What you can do
  • Adopt security best practices wherever you find
    them The Center for Internet Security
    benchmarks and scoring tools available free at
    http//www.cisecurity.org
  • Focus your energies on matters unique to your
    organization
  • Share your knowledge - Work with the user
    community for everyones benefit the bad guys
    communicate with each other shouldnt we?
Write a Comment
User Comments (0)
About PowerShow.com