Where to start for organizations to address the security.
The key concept of security:
- CIA (Confidentiality, Integrity, Availability)
The protection should be addressed by security controls (Administrative / Logical / Physical).
Some important principles:
- Access Control / AAA (Authentication, Authorization, Accounting)
- Use Cryptography
- Secure the weakest link
- Defense in Deep
So where to start?
It looks easier to attack then to defend the infrastructure. Weakest link is enough for attacker.
Below are some important steps.
Change of mindset
From: Our network is not compromised. And we need to protect against the attack.
To: The network is regularly attacked and already compromised from both internal or external perimeter. We need to get visibility, increase detection ratio, decrease vulnerability of systems and reduce possible impacts.
What are the logical assets to protect? (Identified by what key: revenue lost, user privacy, company sensitive data, regulation, public reputation)
And on which systems or platforms are stored?
Who is the owner of these assets? (Who decide if the risk should be mitigated on specific platform e.g. by investments or accepted?)
Understanding the threats
- External perimeter
- From Internet
- From other wide accessible network (IPX, GRX, SS7)
- Internal perimeter
- 3rd party / support / vendor
Formal process of delivery new projects in company is important to address the security in several milestones.
- Time to Market Process (TTM) – company process related to the projects delivery (RFI, RFP, deployment and launch)
- Secure Development Life Cycle (SDLC) – related to SW development phases of product
Add security milestones into TTM process:
- Security Index of the System (how system is sensitive and what type of hardening, controls should be applied in project)
- Security questioner in RFP (could ask some result from SDLC)
- Security annex to contracts to vendors (minimum security requirements, right to scan the solution, including possible penalties)
- Security hardening in the project
- Security audit
- Acceptance process, Minimum Security check by the operation team
Risk Assessment / Business case for Security Projects
Because there are not unlimited resources which can be put into security (financial or HR resources) it is important to invest it where it is most efficient. Risk assessment could help to understand, model and estimate the risks. By knowing the risks it is possible to estimate the possible financial or non financial lost and decide where to accept the risk and where to put additional security controls.
R – Risk (estimated revenue lost per year)
L[eur] – Financial Lost per incident
p[%] – Probability (successful attacks per year)
T[%] – Threat (number of attack attempts per year)
V[%] - Vulnerability <0% ; 100%>
R = p * L
p = T * V
=> Risk Assessment can be used for business case calculation for security projects (mainly important for private enterprises)
=> Formalize the decision process where it is reasonable to invest resources to improve security