| Stream A - Technical & Topical |
| Stream B - Management & General Interest |
| Stream S - SABSA World Congress |
| Stream P - Plenary Sessions |
For enterprises, managing security in today's ever-changing technology landscape is like being a farmer: it's all about managing your silos. Most IT organizations deploy many unique technologies from multiple vendors in an attempt to secure their infrastructure. Each of these technologies generally operates in its own silo, resulting in the duplication of basic functions across multiple appliances in multiple locations in the network. With security automation - enabling information to be shared in real time between heterogeneous collections of appliances - each new component added to the security infrastructure leverages value already in place in the environment.
Learn how to deploy a standards-based signaling bus to enable automated, intelligent network security decisions across a variety of technology components such as firewalls, anti-virus, intrusion detection / prevention, web application firewalls, vulnerability scanners, policy servers, CMDBs, SIEM, etc. Leverage metadata accessible through standard APIs that can be accessed for real-time actions and executed by multi-vendor products, including enterprise-specific data if needed. Maximize the value of your existing infrastructure by sharing information for dynamic, real-time visibility and control of your network. And see a live BYOD demo - security automation enabling seamless, secure integration of mobile devices into an identity-based access control environment.
Every service provider these days offers a mobile app. However, traditional banking and a mobile app are still a difficult match, due to demands on both user-friendliness and security. When ING, the largest retail bank in the Netherlands, set out to introduce an app of its own into the market, it faced a number of challenges.
Knowing that there was a large demand for such an app, the bank knew that it would need to get the security right, right out of the gate. Security was one of the three key principles for the app. There were a number challenges from the start. Since this is a new field, there were no bank standards or guidelines applicable to app development and operations. The underlying security of the mobile data communication protocols (GSM) has been under fire. Unsecure, open WiFi has become an accepted norm in society and we see frequent mention of rogue apps listed in the stores.
The bank has tackled these concerns by focussing on getting the risk analysis right, designing a new two-factor authentication mechanism and enforcing transaction limitations.
Security was built in, not bolted on. App development started with first implementing a security framework, not functionality. This was a remarkable feat in so called ‘scrum’ development.
The roll-out was carefully orchestrated. A dedicated team containing all disciplines met daily to be kept up-to-date of all developments.
Monitoring processes were extended to include the scanning of app stores world wide, in search of undesirable apps or branding misuse. Also, actively monitoring social media has proven to be very helpful.
ING celebrated these efforts by having its app be top-rated as soon as it hit the stores, with sharply growing adoption rates.
In this Symposium Session I would like to take the audience along on this journey.
In a similar way to the OSI 7-layer model for abstracting information technology the 7 Layer model for connected mobile devices sets out to establish distinct boundaries around the different components of a connected mobile device. The purpose of the session would be to discuss this theoretical model as a group and identify if we are in agreement that they are indeed distinct and if so what are the options for securing each layer:
Areas to discuss in the session:
Bandwidth – the lair of the telco and for many years heavily regulated and controlled, with IP and open DNS this is now a lot more open
Hardware – handsets and the wide range of devices available offer opportunities for error and cost cutting, do these open tangents of attack?
OS – what advice are we giving on OS choice, which manufacturer has the balance between security-availability right?
Application – What security, control and cost areas are we afraid of, should we be afraid?
Cloud – data is flowing from handset to cloud without the user knowing it – is this a good thing, it is likely to continue happening so how can we provide equally seamless security?
Social – in a world where we know more people virtually than physically what social engineering opportunities does this open up for the attacker – can we apply traditional anti-social engineering techniques to this or is something more sophisticated needed?
Location – Geo located services have plenty of benefits to consumers, are we wondering into a surveillance nightmare?
Once the exclusive domain of a small number of highly intelligent, often socially misfit geniuses, hacking has gone "mainstream" as an element of national defence. NATO established the Cooperative Cyber Defence Center of Excellence in Estonia after that nation was the target of extensive cyber attacks. The United States has established a four-star Cyber Command to provide coordinated military digital response after suffering massive data breaches. When Georgian government systems came under cyber attack during the Russian offensive in Abkhasia and South Ossetia, the nation shifted critical Internet assets to a private hosting company in Atlanta, USA. Subsequently those systems came under attack. At what point does hacking (read, "computer network attack") rise to the level of warfare? Could United Nations Article V be invoked to engage collective self-defense against an attacker? How well informed are political leaders that will decide how a nation will pursue its cyber objectives? What role should we play as cyber-citizens? We'll examine some of the skirmishes that have set the stage for all-out cyberwarfare, and explore reasons why we haven't yet fought the "big one."
| A5 |
Soft Markers (Cultural Dimensions) of Network Attacks |
Char Sample |
The inability to accurately attribute attacks hinders network defenders in their attempts to respond to them. This discussion examines the role of soft markers or cultural dimensions, in the context of problem solving and attempts to determine the relationship between these dimensions and network attacks. The first part of this discussion focuses on profiling the cultural markers associated with the attackers. The second part of this talk profiles victim characteristics. By examining the victim, one can determine their situational awareness, security posture, and likely, their assets that the attacker desires. By conducting a “Victimology” one can have a better understanding of the adversary that they face or have faced in order to give a better picture of just the adversary’s identity.
The goal of this talk is to discuss expected differences between attacks from various countries based on research into the originating country's cultural dimensions. Dr. Hofstede’s cultural dimensions include: long term orientation (LTO), uncertainty avoidance (UA), masculine/feminine view, individual/collective strategies, monumentalism/self effacement, and power distance. Each of these traits plays a significant role in problem solving strategies. These strategies are used in various types of situations that can include attacking networks. Results of attack analysis will also be shared.
Examining the attack and the attacker is important, but also of equal importance is the examination of the victim. The process of forensic profiling, for example, is driven as much by the victims, and their lives as the nature and goals/desires of the attacker. When looking at the victim (i.e. corporations etc.) we can determine what the attacker may have wanted, as well as, gauge their cultural, technical, and power dynamics by choice of victim and effort put into the operations. This process is known as “Victimology” in forensic profiling and should be an important part in the determination of soft markers and the end goal of attribution.
Value: Computer network attack (CNA) attribution continues to present a difficult challenge for professionals. CNA Attribution has been hindered by NATs, proxies, anonomyzers and other cloaking technologies, this work promises to provide a new and hopefully accurate component toward solving this complex problem.
Uniqueness: Previous profiling efforts have focused on individual behaviors and have proven to be unreliable. This effort focuses on cultural dimensions instead. Hofestede’s cultural dimensions have been widely utilized in other industries,, this approach applies the cultural dimensions to the security industry. This approach represents a fresh view of a traditionally difficult subject.
Timeliness: Extremely timely, maybe a little out in front of the curve. A cyberwar has been taking place for several years. Attack attribution in this area relies on IP address hopping and inference based on code samples or other items left behind.
Approach: Rather than trying to solve the entire attribution problem, this approach suggests carving the problem into manageable pieces. This area offers two components to a multi-part solution: the attacker component and the victim component.This talk examines both sides in the chess match that takes place between the attacker and the victim. The attacker behavior is examined through the lens of Hofstede’s cultural dimensions and the victim’s behavior is examined through the chosen security posture and countermeasures taken before and during the attack. Did the countermeasures influence the attack’s outcome?
Note: The first part of this talk is one of the presenter’s dissertation topic. The most up to data results will be presented in this area.
This session presents a model to identify if an organization has a high risk of being attacked via the client vulnerabilities. It uses the dual view of what is usually done: it looks at the ROI for the hacker, instead of the ROI for the organization.
The economic model of the hacker may help explain whether to fear an attack of a lone hacker, or of organized crime. It may also help directing efforts to the sweet spots to make defensive efforts better.
There are different sorts of countermeasures available. Their merits and risks are touched upon.
The reason for the choice of cosac as a platform, is the possibility of an open discussion of the merits of this alternative approach, the effectiveness of countermeasures and ideas to use and improve this model.
We are currently witnessing the global evolution of computerized medical solutions and devices from individualized standalone solutions to highly integrated medical devices that are incorporating wireless Bluetooth 4.0 communication, Internet connectivity, and cloud data storage. Doctors and patients are depending on these advances to more effectively treat everything from heart conditions and chronic ailments, to disabilities. The advancements don’t stop with medical patient solutions and personal medical devices; medical clinics are storing personal records and past medical histories on local and interconnected systems throughout “The Cloud” or correctly the globe.
We will explore how interconnected medical devices and services have changed the patient / doctor relationship. Who is responsible for protecting the information and function of the medical IT, especially the device implanted in your body? Is it you? The doctor who implanted it? The office or hospital where the procedure was done? The manufacture of the product or service? When you travel to other countries will the rules change or will we have global governance of human interconnected medical devices?
These advancements can prolong and save lives and can have enormous positive benefits, but could also be the switch that turns you off.
| B2 |
Data Leakage Solutions: the Perception of Security |
John Walker |
The current threat posed by Cyber Crime, Industrial Espionage, and Opportunities have driven many organisations have invested heavily in, and have deployed Data Leakage Prevention (DLP) solutions to protect their Corporate Assets, and IPR from theft, inadvertent loss, and compromise. However, research and hands-on experience has evidenced that the approach adopted by organisations like Banks, Large Corporates, Charities, Telecommunications Providers, and the Industrial Community suffer from serious security gaps, which, notwithstanding the perception of security, and investment, realise a low ROI, leave wide open gaps to remain which allow and support data leakage to exist – what is more, given the deployment of a solution, such organisations consider security is accommodated – the worse possible place to be, in a state of unknown exposure!
The presentation provides a unique approach to locating security exposures, examples of which have been documented to exist in a number of areas, which imply skill issues, and a lack of understanding of basic infrastructure, and the sub-technologies. The findings also demonstrate just how easy it can be to move data out, right under the nose of monitoring systems, undetected, and un-alerted – and even more worrying, even after making significant investments on consultancy, and on-site penetration testing, one major bank still had massive undetected holes within its core infrastructure. The quantifiable worrying aspects of the findings are:
- a) Systems which will allow transfers of <£1 under £1 billion without detection
- b) Unfettered access by Outsourcing agencies to sensitive data assets
- c) Uncontrolled migration of data into none-secure Cloud (notwithstanding it was subject to PCI-DSS)
- d) Unsecured documents supporting verbose Metadata content (sensitive agencies)
- e) Desk top systems supporting open, unfettered access to accommodate industrial scale, ease of data theft
- f) Free Cloud space open to export of, and support data theft
- g) Dynamic URL connectivity to underpin Serious-and-Organised-Crime and data thef
- h) Promiscuous Wi-Fi and Warless Protocols provisioning inadvertent access to sensitive systems
- i) Life threatening exposures created by Freedom of Information (FOI) releases
- j) Misconfigured Internal, and External DNS
- k) Use of simplistic encryption in plain text
- l) Printer exposures
- m) Micro imaging
- n) Grove
- o) Desktop SharePoint
And the above is but a scratch at the surface to outline but a few of the common exposures that do exist within todays corporate environments.
Real-Life Demonstrated Examples: The presentation will undertake to prove the finding with multiple live examples of the located vulnerabilities.
Testing: To accommodate the positive aspects of resolution, the presentation will present value add in the form of the outline of the pragmatics of security testing which should be accommodated to secure the operational enterprise, and thiswill be built into the presentation as a stand-alone toolkit.
Approach: The approach to Data Leakage Prevention is, on occasions seen as the deployment of Silver-Bullet solution, based on a point-and-click installation. However, this is a major mistake, and the prime reason why insecurity still exists post investment, and deployment of security solutions – this presentation will set the road-map underpinning effective deployment of a robust solution to deliver real-time security to protect the enterprise.
Conclusion: The concluding value adds to this presentation will be to practically outline where the shortfalls for security, do exist, and will provision a valuable contribution to locate such exposures and vulnerabilities with zero financial investment in the form of a toolkit for delegate use..
Prevention strategies are not always 100% successful. Detection and response strategies are essential too. When a bank finds itself fielding several different attacks simultaneously, quick mitigation must be combined with strategic and creative problem solving to protect customer accounts and thwart the hackers. Evidence needs to be preserved, and most importantly, the loopholes need to be identified to stop the attacks.
In this interesting and timely session, you will learn how hackers used a compliance change in conjunction with a loophole in commercial banking software and a variety of attack vectors to penetrate an international merchant acquirer network. Skimming was used to obtain the initial card data. Merchants across the world were hacked and used as gateways to push small value transactions into the big association networks, for the purpose of seeding behavior analysis software at the card issuer banks with new purchase patterns. Design flaws in widely used E-commerce software were exploited to ensure that the customers did not see these ‘behavioral adjustment transactions’. Then, with new purchase profiles associated with the target customers, the hackers pounced, draining accounts with fraudulent purchases.
To most customers, it is ‘business as usual’, but in the back room, decisions are made quickly as data streams in and every aspect of the attack is analyzed in real time to reduce the impact of the active attacks, determine the number of adversaries, predict their next moves, and identify and correct the root cause.
This is a practical case study into the hacker mentality, the card fraud emporium, the practical realities encountered when dealing with an active attack, obvious (but often overlooked) prevention strategies and practical countermeasures that disrupt the attack and buy precious time until permanent fixes can be made.
With the huge increase in public profile and discussion around computer hacking/cracking in recent years, the concept of ethics in information security has been brought back into the eye of the industry.
With teenagers across the world being charged under computer miss-use laws and security researchers actively testing systems without consent, we need to look again at what we mean by ethics in our industry.
This session will take the form of an interactive session around the issues of ethics in our industry, with the speaker highlighting some of the key questions that relate to ethics, and facilitating discussion on these
topics.
Some of the questions being asked will include:
- What does ethical hacking mean?
- When does security research become a crime?
- Why do the general public still think hacking is cool?
- Does the punishment fit the crime?
- How can the young people getting involved in computers be expected to understand it all?
| B5 |
SInformation Security Organisation: Method or Madness |
Glen Bruce |
The organizational structure and corresponding roles and responsibilities for information security can often vary wildly from one organization to another. I many cases this is an evolution from the technical basis for security controls and in others it is the result of a “master plan”. In many organizations, the roles and responsibilities change on a regular basis. The evolution of threats (cyber threats, hacktivism, Crime-as-a Service etc.) is prompting organizations to be more concerned about their own information security environments. What makes one approach to organizational structure work well while others are subject to constant revision? How is the “business” engaged with information security? How do we deal with the increasingly complex business relationships and changes to the business? How does information security deal with enterprise risk management or information management? Is the organization prepared to meet increasingly sophisticated external threats? This session will provide the considerations and criteria to help answer these questions.
We have observed some common themes and characteristics of organizational structure that have proven to be more successful than others. This session will focus on the organizational components of an information security program and outline the approaches that have proven successful and the ones that unfortunately have not. Based on real world experiences, we will outline the characteristics for defining and implementing information security roles and responsibilities (the good, the bad and the ugly). We will conclude with a set of principles that provide guidance toward better organized information security roles and responsibilities within a well-operating organizational structure.
| B6 |
Information Classification in the Commercial Sector: Are We Mad? |
Jon Colombo |
Information Classification is one of the core mantras of our discipline. All the textbooks tell us we must classify our data. ISO27001 tells us. It even sounds cool: all that James Bond stuff, marking documents ‘Confidential’, ‘Top Secret’ or even ‘For your eyes only’. Brilliant! Even better, as Information Security professionals, we get to say what goes where and who does what. Eat your heart out Secret Squirrel. Getting the ‘ok’ to set up an Information Classification scheme has to be the highlight of any Information Security Career …or does it?
Stop and think a moment. Do most of us really understand what this involves? Ponder on where the ‘gotyas’ are in:
- Defining the classifications
- When to mark what
- Drawing up handling rules
- Rolling it out
This session will:
- (Briefly) look at schemas
- Delve into the complexities and the problems that lurk there
- Peer at the pain of implementation
- Discuss cunning stratagems to avoid, or deal with these
What is the added value of an Enterprise Security Architecture in a compliance-driven environment? And how can we apply the SABSA model to it?
We’ll take a look at the application of Enterprise Security Architecture (ESA) in an environment that needs to comply with a dozen control frameworks, laws and regulations. This environment is visited frequently by IT-auditors and has all certifications needed. These audits require a lot of resources from system administrators and operational security managers. The ESA can reduce the effort needed for those audits.
In the presentation, the following will be demonstrated:
- How to create an overview on all the security requirements
- How to use a set of generic security services that ties together all control frameworks
- How to document justification for each measure
- How to facilitate a structured summary of security aspects in every design document
- How to create an implementation roadmap for missing security services, prioritized by relative business value and service maturity level
- How to create different reports from the ESA that are relevant to specific stakeholders
Parallel to the Security Architecture, a functional Reference Architecture is developed. This contains the functional building blocks of the environment. The Security Architecture is tied closely to the Reference Architecture. A combination of TOGAF and SABSA is used in this approach.
| S2 |
SABSA Architectural Analysis of the US Federal Government’s Standard Security Controls Catalog (i.e. NIST SP 800-53v3) |
Robert Trapp |
It’s difficult to judge when you’ve built-in enough security. Too little and the system is not adequate for its threats; too much and the costs are too high to be appropriate. In the SABSA architecture process, the business driven, risk management based approach ensures proper perspective, requirements, and security strategy are adopted. At lower level stages, when creating the logical and physical security architectures, we need to allocate security controls into the design from whatever our selected library or catalog of controls may be. Security controls are an essential tool for security architects to design the detailed architecture. But the question remains, how do you know when you’ve got enough and the right controls?
For civilian systems in the US federal government, law and policy directs ICT system owners to design security with the processes and standards developed by the National Institute of Standards and Technology (NIST). Of these standards, NIST Special Publication 800-53 is prominent, because it defines the baseline catalog of security controls. There are 205 controls, most of which contain subsections and optional enhancements. To select the right controls, NIST’s process consists of several steps, essentially involving categorizing the sensitivity of information, using one of three predefined baselines of controls (i.e. subsets of the total), then – critically – customizing the controls selection to meet unique system needs and circumstances.
However, despite being exhorted to tailor and supplement the controls, the process only roughly describes the idea that it should be driven by risk principals. There is no overarching concrete framework to direct control selection or judge completeness.
This is an area where the SABSA approach and its defense-in-depth model can help.
This session presents the results of a SABSA architectural analysis of the NIST 800-53 catalog of controls, and asks the question if this can improve the architecture process. The intent is to explore an improved tailoring strategy for controls. The 205 NIST controls are mapped, down to the clause level, against the SABSA framework and defense-in-depth model. As far as the author knows, this analysis is unique and has not been published before. It should aid security architecture practitioners and their associated system owners, approval authorities, architects, and implementers in assessing the quality of their security strategy and designs. It may also provide an indication of where to focus future updates of controls definition in the standard itself. An electronic copy of this analysis will be made available.
In most organizations, information security has matured quickly from a technical response to vulnerabilities, to a blanket of information security policies and standards and on to a more fully defined information security organization. This journey has not always been smooth. There is still a wide variation between the different levels of maturity of information security programs across organizations. In many cases the organizations have not had the time, commitment or financial support required to formalize and implement a fully defined and functional information security management system. Unfortunately, many organizations do not realize that a mature program is needed until unfortunate and potentially harmful events take place. A well-defined and implemented information security management system is the product of answering 6 questions: Is it complete; Can we do it; Will it solve the problem; Can we afford it; How does it fit; and Do we understand it?
SABSA provides the structure, framework and method for formalizing and implementing the information security program. The evolution of international standards such as ISO/IEC Guide 83 and ISO/IEC 27003 provide additional guidance on how information security can be more formally defined and integrated with the controls and practices defined by ISO/IEC 27002. However, having methodologies, frameworks and standards are often not enough to be successful. This session will illustrate the need for defining and implementing information security as a management system. This will be supported with real world examples of the considerations and the criteria required to be more successful with the resulting ISMS. We will conclude with a set of critical success factors that will demonstrate if the ISMS is capable of meeting its intended need.
The reason for this session is my involvement in a complex outsourcing scenario where there have been made some strange choices involving the splitting of the services that need to be delivered by different service providers. These are both internal parties as external suppliers.
We have already seen that the SABSA business attribute profile can be used for scoring vendors in an outsourcing scenario. One of the other powerful tools we have in the SABSA tool set is trust modeling.
Trust modeling can potentially help us in several ways:
- It can make the complexity clear between the different parts in an outsourcing scenario. The amount of different parties and the relations between these parties.
- It makes responsibilities clear between the different parties. It can make clear what needs to be delivered and how that can be assured.
- It can be used for make the relationships “measurable”. This is powerful in both the initial setup of the environment and the later operational phase.
To achieve these benefits we need to map the complete environment from a process, people and technology viewpoint and for this we need to breakdown all the trusts into simple trust relationships. We can set clear requirements on these simple trusts. These can be done either based on a SABSA Business Attribute Profile, but it can also be based on another set of criteria.
In the presentation I will present a few slides on the concepts of domains & trust modeling. This to make the basic concepts clear.
This is an idea that has not been tested yet in real life, I hope to do this in the near future. I would like to have the input of the Cosac audience to get concept challenged and improved.
One vision, a common mission and a concise plan are critical elements for success and in SABSA architecture, Attributes allow us to harness the essence of business requirements and execute with confidence. Without clear articulation of vision, mission and drivers, the enterprise attributes may not capture the essential concepts of value for the organization and this challenge is emphasized in organizations that speak many languages. Multinational, multilingual organizations may commit to operating in a single language, but several issues can impact the best intentions.
Jason and Michael will discuss the challenges of enterprise architecture in multilingual organizations, specific incidents of attribute misalignment in multilingual enterprises and highlight solutions to capture the essence of the enterprise regardless of language spoken throughout the organization
No script, no slides, and no advance warning to the facilitator. An Open Forum in the true COSAC style and tradition, this session presents the SABSA community (and those professionals not yet part of the SABSA community) with the rare opportunity to pose questions to SABSA Institute CEO David Lynas.
Come armed with whatever question, challenge, opinion or idea that is on your mind with regard to the SABSA methodology and framework, techniques, tools or real-life problems.
Please note that this forum is focused on addressing the needs of SABSA Architects as practitioners and that issues relating to the SABSA Institute will be addressed in the SABSA Forum on Thursday afternoon.
| P7 |
So You Think YOU Have No Budget: Establishing National Standards in the Charity Sector |
David Canavan |
| Stream A - Technical & Topical |
| Stream B - Management & General Interest |
| Stream S - SABSA World Congress |
| Stream P - Plenary Sessions |
One important aspect of InfoSec deals with the infrastructure services such as routing and DNS. Recent attacks to DNS and BGP have called attention to this important security area that has often times been overlooked by security professionals. Historically, InfoSec professionals have passed on dealing with this area leaving the problems to the ISPs. However, since cloud vendors now offer Infrastructure as a Service (IaaS), security professionals need to be more cognizant of the challenges faced with the network infrastructure. Additionally, infrastructure services have become a key target in various Cyberwar activities.
One important aspect of InfoSec deals with the infrastructure services such as routing and DNS. Recent attacks to DNS and BGP have called attention to this important security area that has often times been overlooked by security professionals. Historically, InfoSec professionals have passed on dealing with this area leaving the problems to the ISPs. However, since cloud vendors now offer Infrastructure as a Service (IaaS), security professionals need to be more cognizant of the challenges faced with the network infrastructure. Additionally, infrastructure services have become a key target in various Cyberwar activities.
Disclaimer: This is a very deep technical talk. The presenter is quite happy to provide detailed explanations as necessary in accordance with the audience desires.
| A9 |
Will Mobile repeat the security lifecycle of the desktop? |
John Ceraolo |
It has been said before, “If we don’t know where we have been, we will not know where we are going”. Information security has a history and through unpleasant events, some even spectacular, we have risen to meet the challenge – but often times in more of a reactionary fashion. After all, when the desktop computer came on the scene, it was difficult to predict just how much would be exposed. This session will cover the security history of the desktop with parallels to the current mobile technology environment (smartphones, tablets, etc.) and examine – have we learned anything? We will examine the attack types and subsequent adoption rate for countermeasures and controls used first for the desktop and now (hopefully) for mobile. Mobile has become pervasive in all aspects of personal life and has blended almost seamlessly into the business world with the same device. How do we as practitioners use our security history to meet and more importantly, proactively prepare for the likely repeat of the same vulnerabilities? We have less control over connecting devices today than ever before, with a greater value of data than was ever dreamed of twenty years ago. Through this session, we will explore the historical parallels – those that have been matched, to looking into the future of not just device security, but connectivity, dependency, and manageability. We will finish with participation from the attendees – what does your crystal ball tell you, and what are you doing to prepare?
The ‘Internet of Things’ is swiftly becoming a quick reality with the merger of physical and Internet connected devices becoming a quick reality. Multiple devices are being connected to the Internet from televisions to games consoles and finally utilities and critical infrastructure.
Smart Meters are spreading across Europe at an unstoppable rate with 94% of homes having Smart Meters in Italy and approximately 70% of homes in the Nordics. Even the deregulated UK market, with the most difficult structure, is expected to have Smart Meters in 65% of homes by 2015.
Behind this the drive for greater efficiency in the power grid and dealing with the capacity challenges brought on by the inconsistent supply of renewable energy sources is driving the adoption of SmartGrids across Europe with the ultimate aim to link transmission and distribution of power with the metering and provision of services. This introduces a whole level of information and cyber risk into an environment where equipment has long refresh cycles and must be serviceable for decades in order to be economically viable.
This is driving a whole new set of debates in the industry around the adoption of “cyber” security for this industry. With an ongoing friction between the industrial engineers, who are experts at SCADA systems, risk and the health and safety of utility equipment, and information security specialists as we attempt to fix the challenges of information security in a world where availability is the most critical factor and getting security wrong can lead to personal injury or death.
During this session I would like to present some of the research I have been studying in this space, provide a view of the current consensus that I’m seeing in the industry discussions and get the view of COSAC on the following:
- How much can we directly take security governance and architectures from a traditional information and IT security space to apply to the securing of Smart systems?
- What lessons can we as Information Security Professionals learn from the industrial engineers in the management of risk in these environments?
- Is there a possible intersection where we use the expertise of both types of risks from the different elements to come up with realistic and implementable security solutions that accommodate the long equipment cycles and availability requirements of industrial engineering.
You have all heard the term cybercrime, and you have heard about all things cybercrime – stolen credentials, identity theft, fraud, blackmail, DDOS and more. You may have heard that there are markets for goods connected to computer crime. You may have heard that there’s a lot of money in it (enough to pay off the national debts of most states including the USA, if you total all reports on damages by cybercrime). As usual the problems lie in connecting the dots. What are the mechanisms behind these black markets? What are the goods? Who pays for them and by which means? Surely you cannot just walk into a chat room, drop your credit card number and part with the digital loot, or can you? What if you end up being a trade object yourself? Screenshots are shown of actual high profile advertisements such as post about mysql.com root access for sale.
IT security companies and law enforcement organizations have a vested interest in investigating these mechanisms. The information is vital for everyone implementing IT security as well. You have to know who is up against you and why. This is the basic information every defender needs to possess, and proper knowledge is one of the few advantages you can use for the protection of your assets.
AlmantasKakareka will address these questions in his talk Insight Into Russian Black Market. He will give you an insight into the underground and explain which “products” criminals trade. If you are in charge of securing the digital heart of your enterprise or implement security, then you should listen to this talk.
| B12 |
Insider threats, what organisations can do to address the detrimental effect of a malicious insider in a multisourcing environment? |
Maclaud Mafaiti |
Multisourcing contracts have been lauded as a huge success and a way of improving performance and end-to-end service delivery in many businesses (Longwood, 2012). Many companies have reported reduced costs, improved service provision to the business, a more productive multisourced environment, and a better overall end-user experience among other benefits (Unisys, 2011).
However multisourcing extends the definition of a company’s users to include vendors and other service providers who play a role in the operating environment thereby increasing organisation’s exposure to malicious insiders who steal company secretes. This increases the organisation’s operational risk from malicious insiders (insider threats). Studies have mainly dwelled on insider threats from persons internal to a company. Very little has been said about the complexity of dealing with insider threats in a multisourcing environment where users are internal to a company but belong to various external suppliers and organisations working with the company. In many cases these users are very privileged users as they support and have administrative access to some of the repositories where confidential information and other intellectual property (IP) are stored and transmitted.
Studies have shown that in as much as attacks are still coming from the external environment malicious insiders are sources of information theft resulting in lawsuits and huge losses. This is mainly because external threats defences have evolved over time and have been perfected to deal decisively with threats from external adversaries but focus is less on the malicious insider who has “keys to the castle”. Insiders have a number of advantages as compared to an outsider. They are internal, they have information on all security measures and their deficiencies in an organisation. Above all this they have trust and privileged access to the systems that hold sensitive information. Added to this predicament, multisourcing clients have different employment procedures that might not be in tandem with the client or other players in the contract. This exacerbates the challenge of harnessing multiple competing suppliers where their roles overlap (Outsourcing Law, 2011).
As a result of these advantages it has been noted in many cases that a malicious insider does not use sophisticated tools or methods that a hacker might use in exploiting vulnerabilities in applications and business processes.
This paper looks at the threats posed by malicious insiders in a multivendor setting. The paper assesses the challenges posed by malicious insiders and proffers practical solutions to dealing with them through mainly the cooperation of all departments and all service providers in the organization and through the harnessing of technologies to detect and report insider threats. The paper concludes by examining practical strategies an organisation might use to combat insider threats in a multivendor environment.
This is COSAC. We’re all professionals. We’ve all been around the block several times. We can differentiate between effective security measures and those that look good on paper but don’t quite measure up in practice. But we still too often have to fight for acceptance of even the most seemingly obvious security solution. And not just with managers, but with users, developers and support staff. In this interactive session, we'll analyze ways to get and keep the attention of the necessary stakeholders regarding the crucial issues of understanding, selecting, implementing and using advanced security technology to help protect the organization's valuable resources. We'll learn why some people in our organizations instantly get turned off when we "speak like a geek," and how to avoid this and other pitfalls. We'll see why the mere mention of "product of primes" or “advanced persistent threats” or “elliptic curve cryptosystems” or “integrated honey-pot technology” or the inherent dangers of Cloud and Social Networking makes them cringe and suddenly remember another meeting going on right now that they can't possibly miss. We'll cover effective ways to get buy-in for our solutions, technologically advanced or not, to real security problems.
Within the security community it is common wisdom that information security should be treated as a multidisciplinary topic. Threats and controls cover the wide range of IT systems, perimeters, applications, human attitude, processes, physical and logical security, policies, and standards.
Furthermore it is obvious the business is running the risks of IS breaches and is therefore ultimately responsible for the right response. In my years as a IS practitioner I have noticed that a divide between IS and business is (still) present in most organizations. Most often the divide is masked by a governance structure which at the top combines all those fields mentioned. Still, in reality, security happens at the work floor. If we are lucky, a holistic view on information security exist at the top but communication between the practitioners (IS and business) is hindered because of the logical and physical separation between the two professions.
This is relevant in the situation we currently face; society is over flooded with malicious threats and attacks. We need the business involved on all levels. Not only to support the efforts of the IS departments and practitioners, but also to manage (avoid or take) the risks.
In this presentation I will describe a setup where information security is embedded in the business in a way which is rarely seen and will discuss the benefits this arrangements has on the quality of information security.
In this particular situation the IS group is part of the Business Control department. This department is, among others, tasked with management reporting and support, Enterprise Risk Management, quality assurance and information security. Most of the members of the IS group have first-hand knowledge of business processes, procedures and the daily workflow of the different departments.
- With this IS arrangement we achieve results which differs in some important aspects from the results of a typical IS shop.
- Better and tailor made IS risk management.
- An important shift of focus from the technical security aspects to the process aspects of security.
- More focus on the broader scope of security, including HR, physical security and process security.
- On strategic, tactical and operational level the share of IS decisions made by the business (operational management) rises.
- More out of the box thinking when analyzing issues and designing solutions.
Of course this approach has its (initial) drawbacks:
IT becomes more of a black box, IT initiatives can develop below the radar.
More difficult to recruit this kind of IS employees.
In this presentation I will clarify and illustrate these differences and invoke some discussion.
Corporate IT is under huge pressure to allow people to 'bring your own device' (BYOD). From smart phones to tablets to own PCs the new generation of workers (often called 'Generation Y') are technology savvy and already well equipped. They demand an integrated lifestyle where the boundary between work and leisure is fuzzy, where they are mobile and always connected, where they carry a single device for all purposes. This is an enormous challenge for traditional IT departments, because whilst they may resist the changes they will not prevent them. There are also potentially huge cost savings to be gained from this new approach, which means that there is pressure from management as well as from the workers themselves. The question then arises, how shall we secure this new environment so as to manage the risks for both the enterprise and the employees, each having their own desire for separation of work and leisure yet on a single client device? This presentation will examine the issues, suggest some of the solution strategies and provide a forum in which the COSAC community can debate this highly topical subject.
Cryptography is an essential pervasive security tool for any organization. Evolving threats increasing require that cryptography be used within multiple layers in the architecture. Compliance requirements (PCI-DS, PCI-PIN, EMV, SEPA....) are increasing the cost and the complexity. Managing cryptography and related management of keys should be seen in terms of the assets being protected, the risks against those assets and the security controls to be deployed.
Doing this in a structured manner requires a blend of skills and tools. SABSA methodology can be used to establish an enterprise view to the effective definition and management of cryptographic services. This approach supports demonstrable, traceable compliance by design, hence increasing effectiveness and reducing the overall cost of compliance. In this presentation we take a look at this proposed approach to Enterprise Enablement of Cryptography, and discuss the alignment of architecture skills and cryptography technologies."
T.S. Elliott, so eloquently quoted “Only those who will risk going too far can possibly find out how far one can go”.
As security subject matter experts we very often understate the opportunistic strength of positive risk management only to be replaced by security constricted ‘business assurance’ (sic) controls thinly disguised as ‘threat and vulnerability management’ risk assessments.
The consequence of this approach is the oft well-trodden path of failure. Failure to deliver, failure to produce, failure to enable, failure to succeed, failure to profit.
The questions that need to be answered can be summarised as What, Why, How, Who, Where and When can we do better? Sound familiar? It should!
My presentation will discuss the course of discovery I took to address the New Zealand Governments’ Certification and Accreditation (C&A) policy. This was achieved by adapting SABSA through-life risk management practices to promote business and security attribute-led decision making assertions.
Using a personalised security architecture business assurance resource toolkit, my demonstration will include examples of:
- Business and security attribute profiling,
- Through-life traceability,
- Re-use treatments,
- Centralised multi-tiered control libraries,
- Aggregated impact measures,
- The value of Key Risk Indicators, and
- The meta-model used for delivering assurance.
Central to the resource kit is the authoritative sources used for assessing the strategy planning, design, implementation and assurance layers of the SABSA RMP framework. The referenced libraries are the SABSA business attributes and the New Zealand Government Information Security Manual (ISM) controls. The demonstration will clearly prove the value of through-life activity component planning and analysis.
My presentation will be concluded in time-honoured COSAC fashion with an open debate regarding the Australian Defence Signals Directorate (DSD) Top 35 Mitigation Strategies (see http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm for further details).
DSD quotes that “At least 85% of the targeted cyber intrusions that the Defence Signals Directorate (DSD) responded to in 2010 could have been prevented by following the first four mitigation strategies listed in our Top 35 Mitigation Strategies”.
My questions for debate are:
“What is the potential for mismanaging your time, effort and valuable resources by blindly following these strategies whilst not knowing the level of your business risk appetite”, and
“Will the SABSA through-life risk management plan demonstrated in my presentation benefit business decision making when considering implementation of these strategies?”
Criteria:
Value: The delegates will be provided with a practical SABSA approach to Security Risk Management Planning. It will demonstrate the value of multi-tiered attribute profiling, an approach for centralising a library of controls, systematic through-life risk management capability and near-real time business and operational Key Risk Indicator (KRI) governance and assurance reporting.
Uniqueness: The methodology is based on many years of operational security risk management but improved by my research and recent understanding of the SABSA approach to Risk, Assurance and Governance. The toolkit that will be demonstrated has not been published and is currently being piloted by a leading New Zealand government agency. For COSAC it will be enhanced to include SABSA business attribute profiles as its authoritative source.
Timeliness: During the last 12 months New Zealand Government has introduced:
- A national security plan,
- A cyber security strategy,
- Established a National Cyber Security Centre, and
- Released an updated Information Security Manual with more than 800 controls
The national authority for Information Assurance directs that all agencies must Certify and Accredit all (information) and systems.
The security architecture business assurance resource toolkit has been designed using these requirements and the DSD’s Top 35 mitigation strategies as a case study. The aim is to provide consistency of approach across the NZ sector. It is of note that the toolkit used can be modified to any sector simply by including the appropriate control register (e.g. PCI DSS).
Approach: The presentation will be via PowerPoint and use of Excel. The concluding debate will be to encourage maximum audience participation, gain advice on the practical aspects of the toolkit and to measure expert opinion on the value of directives such as the referenced DSD mitigation strategies.
Scenario Planning is a methodology for strategic planning perfected through over 30 years at Royal Dutch Shell and used by many large organizations and NGOs to ensure that they are able to react quickly to the two or three most probable futures based on understanding the likely outcomes of key decision points that will make a difference to the organization's future. The key difference between Scenario Planning and traditional strategic planning methodologies is the realization that there are multiple, equally likely futures rather than focusing on only one, most beneficial outcome.
This session explores current ongoing research into applying key SABSA concepts, specifically the Attributes Profile and Domain Model to Scenario Planning in terms of using the SABSA operational risk management mechanisms to catalog and track key decision points relating to one or more scenarios developed using Scenario Planning. The session also explores how using the SABSA Attributes Profile and Domain Model provide key integration points allowing business execution monitoring and management within the scenario planning framework. Finally, the session briefly discusses the creation and management of security architecture in a Scenario Planning environment.
| S11 |
Approach and Tools for implementing a SABSA-based Risk Management and Assurance Framework |
Bill Schultz |
This session will discuss the approach of the Vanderbilt-Ingram Cancer Center Research Informatics Core for introducing the SABSA Risk Management Framework, and review some of the tools that have proven effective. We will discuss lessons learned in the process such as approaches to getting buy-in from non-security IT groups, determining where to start an implementation, and building business process tools that simplify governance and attributes management. Some of the tools that will be reviewed include templates for SABSA based project management and trust modeling. Finally, we will discuss ongoing challenges and new tools that would make it easier for security architects to implement SABSA in similar environments.
Universities and researchers are under increasing pressure to protect sensitive data during research and to provide assurance that they are doing so. This is a considerable challenge for an industry that is innovation and results driven and where funding for a given project may only be guaranteed for 6 months to a year. It requires that the organization has a strong framework in place to ensure that each dollar in IT is spent wisely. SABSA provides a mission based way for a research organization to demonstrate compliance and ensure that they are still striving towards their research goals.
No script, no slides, and no advance warning to the facilitator. An Open Forum in the true COSAC style and tradition, this session presents the SABSA community (and those professionals not yet part of the SABSA community) with the rare opportunity to pose questions to the original author of SABSA and Head of the SABSA Academy John Sherwood.
Come armed with whatever question, challenge, opinion or idea that is on your mind with regard to the SABSA methodology and framework, techniques, tools or real-life problems.
Please note that this forum is focused on addressing the needs of SABSA Architects as practitioners and that issues relating to the SABSA Institute will be addressed in the SABSA Forum on Thursday afternoon.
What does security mean to you? Protecting your network, safeguarding your data, ensuring that your business is able to operate uninterrupted… There are as many answers as there are information security practitioners.
Security takes on a whole new meaning at Burning Man, a week-long annual art event and temporary community deep in the heart of the Nevada desert. Fifty thousand people gather to create art, experience nature, and pursue “radical self-expression and radical self-reliance” - and some of them find the latter a little harder than they expect!
Scorching sun, freezing darkness, dust, wind, dust storms, and the occasional torrential downpour are just the natural hazards - then there’s fire, art cars, and your fellow citizens. Staying safe, keeping hydrated, and having fun on the playa require close attention to your environment and application of some fundamental safety principles - which can carry over to our efforts in the information security arena.
This talk owes its existence to COSAC! Inspired by a conversation at lunch in 2010, it started out as a COSAC rump session, then evolved into a lightning talk at our local hackerspace and a fire talk at Shmoocon 2011. Now it’s a full-length tour of what I’ve learned about security across five years as a citizen of Black Rock City, and how to apply those lessons to our information security challenges.
What does security mean to you? Protecting your network, safeguarding your data, ensuring that your business is able to operate uninterrupted… There are as many answers as there are information security practitioners.
Security takes on a whole new meaning at Burning Man, a week-long annual art event and temporary community deep in the heart of the Nevada desert. Fifty thousand people gather to create art, experience nature, and pursue “radical self-expression and radical self-reliance” - and some of them find the latter a little harder than they expect!
Scorching sun, freezing darkness, dust, wind, dust storms, and the occasional torrential downpour are just the natural hazards - then there’s fire, art cars, and your fellow citizens. Staying safe, keeping hydrated, and having fun on the playa require close attention to your environment and application of some fundamental safety principles - which can carry over to our efforts in the information security arena.
This talk owes its existence to COSAC! Inspired by a conversation at lunch in 2010, it started out as a COSAC rump session, then evolved into a lightning talk at our local hackerspace and a fire talk at Shmoocon 2011. Now it’s a full-length tour of what I’ve learned about security across five years as a citizen of Black Rock City, and how to apply those lessons to our information security challenges.
|
Experienced security professionals know that despite media reports, hackers are not always technological geniuses. Some can’t even read the scripts they unleash against our networks. However, while computer crime in 2011 grows increasingly organized, focused and specialized, even the greenest script kiddie can be an outstanding social engineer. We security veterans must prepare our organizations to defend against these non-technical, but most insidious attacks that play upon our workers’ sincere desire to get business done and help others to do the same. Really competent social engineers can win trust to such an extent that targeted employees, and that includes us, willingly, even unknowingly divulge sensitive information. Other miscreants browbeat and threaten for specific data. Some just flat out ask for it. It may not be a significant disclosure in and of itself, but information gleaned by such manipulation can be combined with other bits to produce a detailed and dangerous roadmap to organizational treasures. We must teach staff to be helpful without giving away the store, to serve legitimate customers without being or even appearing paranoid. This class details various psychological workings of social engineering and presents scenarios and role-playing exercises to help us fully comprehend the threat. We also give suggestions for constructing a realistic defense program, emphasizing effects on the business.
IT Security continues to change quickly. The emergence of new technologies and the re-orientation of existing technologies reflect the dynamic nature of this industry. The rapid rate of change reflects the growing sophistication of the attacks as well as the changing nature of the attackers. When new solutions, such as cloud computing, are introduced they often times solve one problem while introducing others.
This talk focuses on the growing and ever changing threat landscape and the technical solutions that are available to counteract these threats. The presenters focus on the various technologies examining what they do, how they do it and, of equal importance, what they do not do.
Course Outline:
- Trends in the Threat Arena
- Cloud Computing
- Mobile networking
- Security Information and Event Management (SEIM)
Attendees will learn:
- Various differing threats from single events to advanced persistent threats (APTs) including: malware and rootkits, attacks against the infrastructure, attacks in the cloud, application attacks, and the changing nature of the attacks and attackers.
- Detailed understanding of how various security solutions work: what they do well and what they miss.
- What is new in academia and industry: where the resources are being focused.
- What is meant by virtualization and cloud computing, including a detailed look at security issues in: IaaS, PaaS, and SaaS along with the various security controls for each of these cloud environments.
- Mobile networking: the problems these technologies introduce and what can be done to mitigate these problems.
- Detailed understanding of all of the components of the SIEM architecture and how they work standalone and together in order to aggregate, correlate and visualize the network. Technology components discussed will include: firewalls, IDS, IPS, HBSS, log management, and SIEM products.
Often when organizations embark on the development of an enterprise security program and architecture, they struggle with moving from the high-level contextual and conceptual architectural elements into the lower layers of the SABSA matrix. Part of the issue is how to systematically translate these conceptual layers into specific services and, ultimately, solutions comprised of processes, people, and technology, while maintain traceability throughout the process.
Over the past 2-years we have developed a standardized Enterprise Security Services Reference Architecture (ESSRA) that combines administrative, logical, and physical security controls into a set of integrated security services, creating the necessary link between the contextual/contextual layers to the implementation of specific security solutions. These security services combine control objectives and controls from a variety of best practice frameworks including ISO 2700x, PCI DSS, and COBIT into an integrated reference architecture. The reference architecture was developed using techniques from both SABSA and TOGAF, with the goal of establishing an integrated and reusable set of security services that organizations can start with when developing their own enterprise security services architecture--along with supporting reference architectures and design patterns.
During this presentation, the speaker will demonstrate the methods used to create the Enterprise Security Services Reference Architecture and how to apply the reference architecture to develop an organization-specific ESSRA, citing several examples from client engagements. The objective of the presentation is to engage the audience in a dialogue about the practical application of these techniques, how they can be improved, and their applicability within their respective organizations.
|
Copyright © 2012 COSAC
- All Rights Reserved - |
|
