I found two lovely papers from:
- SAN reading room --- "Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information System".
- CERT --- "Common Sense Guide to Mitigating Insider Threats 4th Edition" (Not just common sense at all)
My client is not a Government Agency. Instead :
- it is a large enterprise group' headquarter office.
- This group are having many subsidiaries on business in different areas, like retail, trading, telco, etc.
- In the headquarter office, there are around 100 senior management having mobile device remote access right.
- A number of applications within the group to be used, where servers has been installed in headquarter, and subsidiaries can access those service/server through IPSec VPN, that has been built.
- My clients office seems likes a "government" within the group.
Therefore, I choose to share with him this paper with a bit of summary.
Agenda:
(1) Threats to an Enterprise Information System (Internal, External)
(2) Risks to Information System
(3) Creative Ways for CIO to Stretch for IT Budgets
(4) Techniques for Protecting Enterprise Information System (Hardware, Software, Policy)
Summary
(1) Threats to an Enterprises Information System
- Attacks form individuals and groups with malicious sources of threat include information warfare, hackers, virus writer and disgruntled employee and contractors.
- Sources can be classified into two types of threats to information system: internal and external
(1.1) INTERNAL:
- Internal threats: mostly defined as either current or former personnel (employee or contractor).
- These individuals have greater access to sensitive information and security weaknesses through their current or previous work experience.
- Additionally, an insider has established a trust relationship so the person may not be question if seen in an authorized location or asks for special networks access.
- Cybercriminals may use internal employees as their attack vector for causing mayhem as well (Most Successful Method: Social Engineering)
- Social engineering is when an attacker convinces an individual to perform an action and provide information about their computing environment that is not public knowledge. The attacker will usually state they are an IT support personnel and ask the “victim” to perform “diagnostic” activities which can assist them in their attack.
(1.2) EXTERNAL:
- External threats: can be defined as “any vulnerability which can be exploited to gain access to an environment from outside the [host] environment”.
- Vulnerability can be viewed as an attacker using weakness in the information system or security policy to their advantage
- Examples of vulnerabilities:
- Lack of software patch management,
- Cross site scripting,
- Weak passwards, or
- Unnecessary ports open on the firewall
- Espionage
- Competitors that damage information system for political or economic gain
- Attackers will target the enterprise and also key contractors as well
- Contractors may be slower in adopting the same security standard of the enterprise
- Spear-phishing
- Attackers aim to gain unauthorized access to confidential data
- Examples of a successful spear-phishing attack email subject line include “mailbox exceeded”, “helpdesk assistance required” or “password expired”
- The message ”appeared” from a trusted source (e.g. IT admin)
- Employee click on the link supplied in the message, they are asked to “log in” with username/password
- Attackers use the victim’s login for network access, and send the same email message to increase the pool of people to be compromised.
(2) Risk to Information System
- Risk Management : defined as “the process of managing risks to enterprise operation”
- Risks to Information system include:
- Resources: company financial information, business transaction information
- Sensitive information: internal staff record, client records,
(3) Creative Ways for CIO to Stretch for IT budget
- BYOD
- Security professionals now need to weight the business case for using personal devices and their lack of security in a new light
- Cloud
- Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS)
- The premise behind using cloud computing is to eliminate the need for agencies and departments to have their own data centers for application hosting, and security monitoring.
- Instead, enterprise are to reply on certified third-part vendors to host agency data and applications.
- With these new changes, security professionals new need to keep their data and information system secure when they are located all over the place.
(4) Technique s for Protecting Enterprise Information Systems
- Hardware
- Firewall, intrusion detection system (IDS), intrusion prevention system (IPS), host intrusion protection system (HIPS) and Multiple-factor devices (eg. secure token devices, etc.)
- Portable media encryption – Sensitive data stored on desktop and laptop computers are protected
- Network Access Control / Identity Service Engine (eg. Cisco) – device is required to be “securely checked-in” every time when it is trying to connect to the network (including mobile device)
- Data loss prevention/ email security (especially on email) (eg. Ironport, Check Point) and web-content filtering (eg. Check Point, BlueCoat, Palo Alto ) deployed in the gateway, to avoid phishing and malware
- Two-factor authentication solution
- Software
- End point devices (desktops, laptops, mobile devices) are needed to be deployed with Anti-Virus (Anti Malware) software (eg. McAfee), which can be centrally managed by McAfee E-Policy Orchestrator (ePO). (including Mobile devices)
- Patch management for all Windows based equipment is required
- (optional for confidential email): Public key infrastructure (PKI) encryption should be enforced
- (for sensitive desktop or laptop): Device is suggested have Encase forensic software applet installed. This allows IT/Security team to conduct initial forensic investigation “over the wire” as means to catch potential compromise in real time. In the event that the “over the wire” forensic did not work, IT support will remove the drive and send to a proper custody procedure.
- USB Port control and Removable media encryption solution
- Policy
- Ensuring contracts have the standardized security clause.
- “Policy” is the duties of Information Security Officer (ISO) but IT personnel, contracting officers (Cos) and supervisors play a role in compliance as well.
- Segregation of duty (personnel who manage the data, personnel who protect the data)
- Software protective measures (in previous slide) to enforce security policy as a means to decrease exposure to malicious software.
- All employees, contractors are required to take security awareness training and privacy training within 30-day entry into duty, to be trained on their information security responsibility
- Security training provides information on what should be done in certain situations (eg. sensitive information protection, avoidance of providing logins via suspicious email links)
- Refreshment training is required annually
- All employees with significant information security responsibility should complete role-based training. Depending on the role, the individual may take one course which is tailored to their specific job (e.g. database admin, system admin, CIO, etc)
- Ticketing system and Reporting Procedure to report potential information security or privacy incident
- Incident handling procedure (Print copies must be always available) in place
- Incident Response Team should be ready there - this team ensures that all necessary reporting procedures are followed if a breach has been confirmed.
- Have to maintain the security posture through continuous monitoring
Defense in Depth: Employing a Layered Approach for Protecting Federal Government Information SystemsCommon Sense Guide to Migrating Insider Threat 4th Edition
沒有留言:
張貼留言