Broke Note Broken: An Effective Information Security Program With a $0 Budget
1.
2.
3.
You work in Michigan
Your company needs to innovate
Security itself is not strategic
You get no [new] money
4.
All new technology is on the Internet
Your company is a monetizible target
Foreign competitors have your old IP
They’re going to get your new IP, too
Regulation +1
5.
6.
What does the CEO say it is?
What is the CIO/CFO/COO worried about?
What is IT spending money on this year?
Is your company spending lots of money on
technology without IT involvement?
8.
Go to where the money is being spent!
Give generously of your time
Focus on the project’s success
9.
Designs, roadmaps, or whatever
Don’t just produce ivory tower crap
Sprinkle liberally with buzzwords
10.
Future-forward capabilities
Data & network security design for IaaS
Secure API architecture for mobile apps
Secure standards
SDLC practices
Server build guides
11.
Security metrics are really hard
Risk metrics are the easiest to put together
Good metrics tell a story
Data drives decision-making
18.
Microsoft EMET
v4.0 is imminent (late, actually)
Managed via AD group policy (3)
By-process memory exploit protections
SSL/TLS cert pinning detection (4)
Error reporting to SCOM for mitigation alerts (4)
19. IS Information Security Program
“Malware incidents demonstrated a
19
2012 Security Case Category:
Malware
16
14
12
10
8
Malware
6
4
2
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
0
Jan
noticeable peak in volume during the
summer months of 2012. The significant fall
of malware-related incidents beginning in
November coincided with the deployment of
the Microsoft Enhanced Mitigation
Experience Toolkit (EMET), a new
vulnerability mitigation tool that has been
installed onto Priority Health user
workstations. The highest volume of
malware incidents in 2012 was in October
with 14. In comparison the highest volume of
malware incidents in any month in 2011 was
22. Botnet activity accounted for all of the
malware incidents in October that could be
identified, with the largest portion coming
from an attack that used the compromised
web server of a local TV station.”
Michigan’s economy has been shrinking since 2000. While 2013 will be better than 2011, national recovery has yet to hit our state in a meaningful way.The technology market is in a major shift – consumers now expect to interact with your company any time, any place via web & mobile technology.Security, while highly relevant and in the media spotlight, is not strategic.Therefore, your CIO is spending IT dollars to play catch-up to keep the business relevant. Any level of risk you can quantify is meaningless in the face of enabling sales & revenue. “Who cares if you avoid a major data breach if your company still goes out of business?”So you might get to keep the money we’ve contractually committed to your firewall, AV, and whatever else you have, but new capital is going elsewhere.
Not only are you not getting any new capital, but all of the new capital is going to directly increase your security risk.Got PII? Manufacturing IP? Payroll? Storage? Bandwidth? Then there are organized criminal enterprises that would like to send you a few emails.Speaking of IP, if it’s worth anything in China, they already have it.Regulations around privacy and security are being released at an ever-increasing pace.
When InfoSec is aligned, it is:RelevantEnablingForward-looking
There’s all kinds of technical risk waiting for you to assess it. And it needs to be assessed regularly.Somebody may already be looking at some of this. Do your homework.The phrase of the year for healthcare is “risk assessment.” KPMG and OCR say most organizations experiencing data breaches don’t have a current risk assessment. Meaningful Use requires a risk assessment for all phases. Oooh, I bet there’s money to fix the stuff you find in that risk assessment! Let’s pick on vendors! No, seriously. New and key vendors should undergo risk assessment. Partner with procurement – add their concerns, do some of their work, and now you’re embedded in the contracting process and people want to involve you.And above all else, REPORTING REPORTINGREPORTING! Give CIO, CFO, whoever will listen visibility to the risks you have identified.
In my opinion, this is where InfoSec is at its best – embedded in project teams from project planning through to go-live.Best outcomes, least cost, minimal conflict.This is just one slide. But if you write nothing else down today, write this down. If you’re not working hard on other people’s projects, you’re accepting too much risk, paying too much security, or both.
Cloud, mobile, BYOD, SOA, Big DataDo your homework. Identify what security technologies, standards, and practices enable all of the things that are front-page tech news. Best part? It’s totally OK to say things like, “The tipping point for secure, mobile-enabled, unstructured data in the cloud is 18 to 30 months out because leading innovators’ integration with DLP and MDM is still immature.” I don’t even know what that actually means. What it I do know is that I just said no to a bad idea, but it sounds like I’m saying yes.
There’s lots of stuff out there. Do research. Find the stuff that’s relevant to you, customize to your environment. Publish, circulate.Even if nobody ever uses anything you publish, it’s good internal PR. You’re business aligned!
This is how you get budget for next year! You measure a bunch of security stuff over time. Number of incidents per month (severity, type, etc.)Aggregate risk score – trend linesStart with known issues and figure out how to measure themCreate a dispassionate, data-driven case for action (funding).
Create artifacts. Reports, graphs, infographics, slide decks.Present the information, especially to affected decision-makers, including peers.(Don’t mix peers & your uplines in the same preso – no blindsides!)After you present, get feedback, make changes. Then distribute your materials liberally. Only be stingy with truly sensitive information.
1 – Nameless Ukranian arrested for Zeus botnet2 – Hector Montsegur, Sabu (lulzsec)3 – Albert Gonzalez (TJX, Heartland)4 – Matt Flannery, Aush0k (lulzsec)5 – David Kernell (Palin email hacker)6 – PLA Unit 61398 (aka APT1)
It doesn’t matter what you’ve spent on prevention and control, you have problems. If you’re not monitoring for phishing, web kits, and malware C2 beacons, you’re missing something important. Also, people work for you. A tiny number commit crimes. A much larger number make mistakes. The speed at which you respond to problems has a lot to do with the impact to your organization.
Your Internet browsing logs and firewall logs will require something other than the free Logger or SplunkYou need to be able to write your own signatures
About half of the really good stuff out there for incident response is free.The free versions of the commercial stuff are limited, but it’s a good way to prove out the product and justify budget for it next year.
This distribution has most of what you need to get visibility to the right data and start sifting through it.All you need is a couple of old boxes and a SPAN port to get started.Doug Burks’ DerbyCon talk from last year is on YouTube. Go watch it.
Deployed EMET 3.0 to 1,500 workstations at Priority Health, our health insurance company in October 2012.In November, we had 1 case of malware on their network. In December we had 4.The one in November was not one of the Priority Health workstations. The four in December were FakeAV and did not use an exploit. They were easily cleaned.That’s the biggest statistical decline we’ve seen since that metric was introduced in 2007. The only similar decrease was in 2009 when we introduced Websense security filtering content. And six months later we standardized on issuing laptops that people took home on a regular basis. EMET goes home with them.