Where to start for organizations to address the security.
The key concept of security:
- CIA (Confidentiality, Integrity, Availability)
The protection should be addressed by security controls (Administrative / Logical / Physical).
Some important principles:
- Access Control / AAA (Authentication, Authorization, Accounting)
- Use Cryptography
- Secure the weakest link
- Defense in Deep
So where to start?
It looks easier to attack then to defend the infrastructure. Weakest link is enough for attacker to compromise the infrastructure.
Below are some important points for the security professionals trying the protect the infrastructure.
Change of mindset
From: Our network is not compromised. And we need to protect against the attack.
To: The network is regularly attacked and already compromised from both internal or external perimeter. We need to get visibility, increase detection ratio, decrease vulnerability of systems and reduce possible impacts.
What are the logical assets to protect? (And they are identified by what key: revenue lost, user privacy, company sensitive data, regulation, public reputation)
And the assets are on which systems and platforms stored?
Who is the owner of these assets? (And who decide if the risk should be mitigated on specific platform e.g. by investments or accepted?)
Understanding the threats
- External perimeter
- From Internet
- From other wide accessible network (office LAN, VPN concentrators, other corporate networks, ISP access segments, for telecom operators the IPX, GRX, SS7 networks, etc.)
- Internal perimeter
- Employee (authenticated user)
- 3rd party / support / vendor (over VPN or over LAN2LAN connections)
Formal process of delivery new projects in the company is important. In several projects milestone the security can be addressed.
- Time to Market Process (TTM) – company process related to the projects delivery (RFI, RFP, deployment and launch)
- Secure Development Life Cycle (SDLC) – related to SW development phases of product
Add security milestones into TTM process to include some of the following points (the selection and coverage depends on the risk acceptance level of the company):
- Security Index of the System (how system is sensitive and what type of hardening, controls should be applied in project)
- Security questionnaire in RFP (e.g. could ask some result from SDLC)
- Security annex to contracts to vendors (minimum security requirements, right to scan the solution, including possible penalties if the solution does not follow some best practices or some number of vulns is too high)
- Security hardening in the project
- Security audit
- Acceptance process, Minimum Security check by the operation team
Risk Assessment / Business case for Security Projects
There are not unlimited resources which can be put into security (financial or HR resources) and therefore it is important to invest it where it is most efficient. Risk assessment could help to understand, model and estimate the risks. By knowing the risks it is possible to estimate the possible financial or non financial lost and decide where to accept the risk and where to put additional security controls.
The approach below demonstrate such business related risk calculation which can be useful to approve financial resources for security.
R – Risk (estimated revenue lost per year)
L[eur] – Financial Lost per incident
p[%] – Probability (successful attacks per year)
T[%] – Threat (number of attack attempts per year)
V[%] - Vulnerability <0% ; 100%>
R = p * L
p = T * V
=> Risk Assessment can be used for business case calculation for security projects (mainly important for private enterprises)
=> Formalize the decision process where it is reasonable to invest resources to improve security
Risk calculation example: