board member security

17
Board member Security Per Thorsheim CISA, CISM, CISSP-ISSAP Security coordinator April 4, 2011

Upload: per-thorsheim

Post on 22-Dec-2014

846 views

Category:

Technology


1 download

DESCRIPTION

This is my presentation for the Scandinavian ISACA conference in Oslo, Monday April 4, 2011. Please contact if you have any questions or comments.

TRANSCRIPT

Page 1: Board Member Security

Board member Security

Per ThorsheimCISA, CISM, CISSP-ISSAPSecurity coordinator

April 4, 2011

Page 2: Board Member Security

2

The Codes of Conduct Dilemma• General assembly• Bedriftsforsamling (Norway)• Board of Directors• CEO

– Executive board

• Chief Security Officer (CSO)

Codes of Conduct

Security policy

Standards

Guidelines

?

Page 3: Board Member Security

3

Company (Security) policy

ISACA 4 April 2011 – Per Thorsheim

• May require that all users use pc + phone provided by company

• Require separation between work and other private (work) engangements

• Requires hardening and periodic updating

• Disallows the sharing of accounts / passwords

• A practical challenge for people being a member on many boards

• Easily broken by the above practical challenge

• If computer is personal, than it is by definition insecure and ”illegal” to use

• Personal assistant to the xxx may be a practical challenge to solve

Page 4: Board Member Security

4ISACA 4 April 2011 – Per Thorsheim

Page 5: Board Member Security

5ISACA 4 April 2011 – Per Thorsheim

HACK

ED

Page 6: Board Member Security

6

The Codes of Conduct Dilemma

ISACA 4 April 2011 – Per Thorsheim

• Directors Liability Assurance• ”Styreansvarsforsikring” in Norway• (Gross) Negligence will impact the assurance agreement

If the board does not comply with (their own) Codes of Conduct and/or security policy, will that be considered (gross) negligence by the insurance company?

Page 7: Board Member Security

7

Recommendations (work in progress)

ISACA 4 April 2011 – Per Thorsheim

• Use of personal PC• Remote access• Printouts• Electronic documents• E-mail• Leaving the board• Problems?

• Disallowed. PC from company• Terminal server with 2-factor• Cross-cut shredder• MS Office password protection• Encrypted attachments• Standard company routine• VIP customer service (CSO)

• CSO / IA : ”Right to audit” ?• NASDAQ Directors Desk?

Page 8: Board Member Security

8

Primary insidersPrimary insider

A person who is a member of the board of directors or management of a listed company, or who is associated with the company in some other way, and who is therefore subject to certain requirements in respect of trading and reporting trades carried out, cf. Sections 3-1 and 2-6 of the Securities Trading Act. Each listed company is responsible for identifying its primary insiders, and is responsible for providing an up-to-date list of its primary insiders to Oslo Børs. Each primary insider is personally responsible for ensuring that the requirements imposed on him or her by the Securities Trading Act are adhered to.

Page 9: Board Member Security

9

Definition of Primary insiders

Page 10: Board Member Security

10ISACA 4 April 2011 – Per Thorsheim

Example list of primary insiders(no names shown)

Page 11: Board Member Security

11

However…

ISACA 4 April 2011 – Per Thorsheim

(this is the point where I start to get difficult and annoying…)

Page 12: Board Member Security

12

Externals: Access to inside information

• Advertising agency• Communications agency• Translation service• External auditor

• E-mail (usually unencrypted)• E-mail with attachments

– Usually unencrypted

• Postal mail• Mail by courier• Fax (for signatures!)

• Phone conference service• (Norwegian) post• Postal courier• E-mail MitM attacks

http://www.edb.com/Documents/Articles/E-post_sikkerhet_i_Norge.pdf

Page 13: Board Member Security

13

Internals: Access to inside information

• LEGAL vs technical access• Unauthorized access should be

logged and prosecuted• Company encryption (PCI)• End-to-end encryption

(personal)

• Domain Admins, helpdesk• Administrative access is not

logged (it is technically ”legal”)• Same problem with admins• Difficult, requires education

Page 14: Board Member Security

14

Third-party access to insider information

• Non-Disclosure Agreements (NDA) widely used : reactive control• NDA seems consired as proactive control (?)• Detective controls seems rare• Security requirements in contracts seems sparse (”Trust” is common)

Page 15: Board Member Security

15

Recommendation (the ”easy” one…)

ISACA 4 April 2011 – Per Thorsheim

Page 16: Board Member Security

16

Last, but not least: Passwords^11• 2 day conference on passwords & pins only

– Attacks, defenses, forensics and usability aspects covered– Panel discussion: ”will we ever get rid of passwords?”

• Bergen (Norway), June 7-8• Free-for-all (limited seats available)• International speakers• In collaboration with:

– University of Bergen, Professor Tor Helleseth– Sponsored by NISNET

• Free live streaming on ustream.tv• securitynirvana.blogspot.com & Twitter: #passwords11

Page 17: Board Member Security