#ozsec - bringing the Australian Information Security Community together

Hello blogosphere!

I have been trying to learn to use #hashtags in twitter to spread the Australian Information Security Association message. The #AISA hashtag seems to be used by others on twitter, maybe it means something in Hindi?

So I went and invented the #ozsec hashtag I hope this can be used by the community to communicate australian infosec events, associations, security research and the like.

In case you didn't know here's a few interesting Australian Information Security facts (please let me know if I have got any wrong):

- the 1st free open source port scanner was invented in Melbourne by Julian Assange of wikileaks fame

- there are over 1000 members of the Australian Information Security Association

- there are over 421 members of the AISA Linkedin Group,which I started too :)

- there are world class security researchers in Australia like Mark Dowd, renowned for securing the Google Chrome browser, the only browser to survive Pwn2Own 2010

- AusCERT has been running the premier australian security conference for seven years now and has been in operation for 17 years.

- At least one of CA technologies identity management products is developed in Australia

- One of Microsoft's three main malware research and response labs is located in Melbourne.

- A number of australian universities offer graduate certificates in information security management (RMIT, ECU etc)

- The Risky Business Podcast made in Australia often has true thought leaders in infosec on it. HD Moore comes to mind as well as FX and Barnaby Jack.

- Selinux in Debian and redhat was developed by an Australian in Australia

- Defence Signals Directorate runs a Cyber Security Operations Centre

How are architects, security architects and security testers meant to play together?

Well here's my thoughts on how architects and security people responsible for security architecture should work together. Keen for feedback as always :). Note - I updated this post further to comments to highlight how security testing should work.

Application Owners - These are business people who own a business process and hence the business applications that support the business process.

Business Analysts - These are people who identify requirements from business stakeholders and ratify them with the Application Owner.

Solution Designers - These are the people who often write the use cases for the applications and have responsibility for the design of the applications.

Enterprise Architects - Along with producing the "enterprise architecture" these fellows liaise with the solution designers to determine requirements so that applications can be interconnected. For example network and middleware designs. Enterprise Architects produce solution blueprints for solution designers to follow for applications.

Enterprise Security Architect - Along with developing the "enterprise security architecture" which is a subset of the "enterprise architecture" and contains the "zone model" this person develops "security patterns" that can be overlaid over solution blueprints that provide standard sets of security controls. This person also is responsible for securing middleware and other shared infrastructure. It should be noted that the "security patterns" produced are vendor independent and are performance specification related. This enables the organisation to have a long term view of what they want and what direction they are heading in allowing them to drive vendors to deliver to meet their needs, rather than be driven by the offering of vendors.

Security Solution Designers - These people take the "solution design" from the solution designers and apply the "security patterns" from the enterprise security architect to develop the "high level design" for the solution. They also go to the next level of detail called the "security detailed designs". They select the vendors of the hardware and software to meet the requirements of the pattern and use their experience of "what works in the real world" to ensure that the planned application architecture and planned security architecture meshes together. Most importantly they perform the risk assessment, collate the requirements, select and document the security controls.

Security Engineers - These unsung heroes using their in depth training with the security products in use configure the security product hardware and software in accordance with the "security detailed designs".

Application Developers - These guys develop the application in line with the solution design and use cases written and updated by the business analysts. Hopefully they are well educated and policed so that they write secure code in line with the requirements in the "high level design" and "security detailed designs"

Functional Testers - These people test the application to make sure it meets the requirements in the "use cases" mostly put together by the Business Analysts and refined by the Solution Designers.

Non Functional Testers - these people test all the things that need to be tested that don't fit in a use case. For example conducting performance and volume testing, making sure high availability functions work as advertised by turning devices off etc.

Security Testers - These security people check that the security controls designed by the security solution designers and documented in the detailed design documents operate as intended. For example password strength is enforced, sessions are terminated when a logout function is activated etc. Its a good idea for these guys to also check that security requirements and security controls match up.

Penetration Testers - These wonderful people look for common application vulnerabilities, misconfiguration of operating systems, databases and application server software. Their job is to identify missing commonly expected security controls, see if they can bypass the existing security controls or find weaknesses in their implementation. It should be noted that the penetration testers job is not to perform the more rudimentary functional or non-functional testing of security controls but to be the "icing on the cake" to sanity check the design and put the security controls through their paces.

If you don't have these, well what's your problem?

If you are in the security function of a medium sized organisation and you don't have the following under control..... well here's the list and a place to start if you don't:
- job descriptions for members of information security function
- list of business units and a key contact in each you know
- list of critical business processes and key applications for each business unit
- schedule for risk assessments of processes and applications
- some completed risk assessments (incorporating security policy compliance checks)
- security policy framework (aka ISMS)
- endorsed security policy
- some endorsed standards (esp. acceptable use, password, secure configuration )
- some processes
- some procedures (esp. Firewall mangement )
- matrix of security controls and results with forward schedule
- schedule for pen testing program for critical applications
- copies of business unit risk registers
- vulnerability management solution and some completed scans
- log management solution and plan for enabling logging on end devices and associated alerts
- security awareness material for induction training
- enterprise security strategy with list of treatments that security function are running with
- governance reports to stakeholders

What should your security team look like?

When thinking about the structure of your central security function you should consider what best makes sense for your organisation and what functions should be allocated to full time employees, contractors and service providers.

There are roles that need to be held by full time employees as these roles need deep relationships with internal stakeholders and service providers for the security program to make progress.

• Information Security Manager - a full time employee will be able to act in the best interests of the organisation and maintain the relationships with senior stakeholders that are necessary for securing funding and approval of security standards.
• Information Security Governance Analyst - a full time employee will be able to build relationships with stakeholders in business units and gain an understanding of their business processes that is essential for co-ordinating risk assessments, security policy compliance checks and security control testing
• Information Security Technical Analyst - a full time employee will be required to liaise with projects and business units for penetration testing. It would also make sense to use a full time employee to conduct vulnerability management activities like vulnerability assessment scanning and oversee security patch management.

There are roles that can be nicely performed by contractors:

• Security architect - security architects are often required when an enterprise security architecture is being established or when there is a high volume of projects requiring guidance

There are functions that can be outsourced to service providers such as:

• penetration testing - it makes sense to outsource this function as the resource requirements will vary dependent on projects in the pipeline
• risk assessment and security policy compliance checks of projects and processes
• security control testing
• security operations - firewall management, IDS management etc.