*Pretty much Lots of large corporates got owned, over 100M credit cards stolen. Why did this happen?
*Base assumptions were made on effectiveness of control technologies by C suite i.e. we passed PCI-DSS, have firewalls, vulnerability assessment, IDS and antivirus hence we are safe.
*Shipley recommends the use of information risk register in IT function and application of compensating controls when security controls not effective
*IT can't convey technical risk effectively to management .
*Most organisations haven't mapped critical processes to data sets to systems and supporting infrastructure so additional controls such as network segregation and increased monitoring can be applied.
*until CEO knows what questions to ask CIO to identify if corporate data is safe we still have a problem.
I had some thoughts on the control technologies mentioned:
*firewalls - holes are punched through the firewalls to allow access to the applications that contain the critical data (e.g. Http to web app server, from web server to app server from app server to db server.) Hence security reliant on the controls implemented in these interfaces and any unpatched and 0day vulnerabilities (e.g. Input validation in web app, method of database connection, database listener patching)
*vulnerability assessment - vulnerability assessment is only effective if the vulnerabilities identified are actioned. In most organisations getting traction on better patch management and comfiguration management is an uphill battle without a clear business case and executive support.
*IDS - IDS has to be correctly placed so that traffic can be sniffed (i.e after where SSL tunnel terminates). Most organisations have NIDS only that is badly placed, badly tuned and non-monitored.
*audit logs - audit logs only detect usage of legitimate functions usually by authorised users, not OS compromise. Also once server compromised logs can be wiped if not centralised on a secure server.
*anti-virus - only detects variants of known families of remote access trojans does not detect custom crimeware much of which now is written and tested to avoid AV.
*PCI-DSS - no matter how gun your QSA is, it is only a point in time assessment and the QSA is an outsider unfamiliar with your environment. If actually performing the audit procedures required, (rather than a chat and issuance of a report as is rumoured to occurr ) He/She will check you do not have plaintext cardholder data in your database . You however can turn on diagnostics 5mins after they leave to troubleshoot an issue, forget about it and next thing you know there are half a million PANs in a text file easy pickings for anyone who cranks up metasploit (and has access to the network)
My thoughts on questions for CEO to ask CIO:?
*what % of IT budget is allocated to infosec ?
*do we know what our critical business processes, information assets, applications and supporting infrastructure are?
*of these critical applications and infrastructure, are we testing the protective security controls and are they effective in reducing the inherent risk to a level I would be happy with?
*are there additional trustworthy detective controls such as integrity monitoring on these systems (i.e tripwire is the bomb)
0 comments:
Post a Comment