Contenu connexe
Similaire à Chuan weihoo_IISF2011 (20)
Plus de Directorate of Information Security | Ditjen Aptika (20)
Chuan weihoo_IISF2011
- 1. Critical Infrastructure
Protection (CIP)
Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE
Volunteer Speaker, (ISC)²
Click Architect at Business Continuity & Security
Security to edit Master title style
Governance, BritishTelecom Global Services
www.isc2.org
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 2. Agenda
• Introduction
• Current State Of Play
• Back To Basics
• Practical Approach
• Minimum Controls
• Q&A
Click to edit Master title style
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 3. CIP – Introduction*
Click to edit Master title style
Entertaining, funny or scary ???
* Source from Youtube.com
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 4. Current State Of Play – Recent Failures
Click to edit Master title style
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 5. Current State Of Play – Past Failures
Click to edit Master title style
Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character -
Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was
suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted
for his job.
Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off
the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras.
With the power gone, the dinosaurs began escaping from their pens and started killing people.
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 6. …Possible causes
• Lack of segregation of duties?
• Complacency? …contended self-satisfaction
• Lack of visibility?
• Lack of privileged access management?
• Single-point-of-failure (SPOF)
• Ineffective patch management?
Click to edit Master title style
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 7. Back To Basics
• CIP
– The preparedness and response to serious
incidents that involves critical infrastructure
(CI) e.g. airports, service providers (electric
power, water, telecommunication, etc)
– Some CI are SCADA (supervisory control and
data acquisition), computer systems that
monitor and control industrial, infrastructure,
Click to edit Master title style
or facility-based processes.
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 8. Practical Approach
• “Outside-in” versus “Inside-out”
Physical
Physical
Asset (sub-
Technology Asset Logical Technology
components)
Logical
Click to edit Master title style
Procedural Procedural
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 9. Outside-in
• Explore all possible threats to the asset; no
breakdown of the asset
• Access the potential impact and likelihood of each
threat
• Determine the mitigating control to each threat
• Design and build the controls for protection
Click to edit Master title style
Outcome: Solution tends to be overly engineered and
can be costly. Might fail to address some peculiar
threats.
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 10. Inside-out
• Identify the asset; classification and categorization
• Explore all possible threats to each categorization
• Access the potential impact and likelihood of each
threat
• Determine the mitigating control to each threat
• Design and build the controls for protection
Click to edit Master title style
Outcome: Engineered solutions are targeted to the
respective threats and vulnerabilities of each
categorization. A more comprehensive approach.
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 11. Minimum Controls
• Executive management support
• Thorough understanding/knowledge
– Business
– IT (full inventory - everything)
– Operations (supported by IT)
• Regular comprehensive review
– Identify SPOF
Click to edit Master title style
• Continuous self assessment
– Applicable control for tomorrow’s threats
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 12. …Management wise
• So what should we do?
– Top-down; get the executive management to push down the
compliance need (must-do even when it is difficult to reach the
right people)
– Bottom-up, work the ground to get the co-operation of the key
stakeholders (lots of PR)
– Acquire the necessary training (training, certification)
– Define detail SOP (framework, standards e.g.
ISO/IEC27001:2005)
– Governance review committee (you chair the committee, using
Click to edit Master title style
reference from a reputable source)
– Put in measurements (measureable):
• Key risk indicators
• Key performance indicators
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 13. Key Messages
• There’s no silver bullet to the problem, only mitigating
controls to minimize the risk.
• Know where are your asset; information & infrastructure
(was and is).
• Review and enhance your existing design and plans.
• Review and enhance your existing controls to protect your
Click to edit Master title style
information asset.
• Continue to educate the end-users and raise awareness
(most critical).
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 14. Thank you!
Click to edit Master title style
#IISF2011
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved