ians-2008

The contents of this presentation are confidential and intended solely for

use by forum participants. Copyright © 2008 IANS . All rights reserved.

Convergence of Security Bob Radvanovsky, Infracritical

Allan McDougall, Evolutionary Security Management

October 20-21, 2008

Midwest Information Security Forum

Chicago, IL

User Briefing

1 2008 Midwest Information Security Forum

Introduction

About Infracritical and Evolutionary Security Management

Infracritical and ESM were formed as a result of the need to establish and

define standards and protocols for Critical Infrastructure Protection (CIP).

We’re one of the industrial leaders within the private sector, providing research

to management, best practice capabilities, education and training, information

sharing practices, and (most importantly) information security awareness

programs to both private and public sectors throughout the United States,

Canada and North America.

About Bob Radvanovsky and Allan McDougall

Experienced in Critical Infrastructure Protection (CIP), visionaries, speakers,

and published authors on the subject (Bob: 4 books, Allan: 2 books).


Convergence of Physical and Logical Infrastructure

Physical Security infrastructure (access control systems, CCVE, etc) has

traditionally operated in isolation from other systems in order to maintain the

confidence that the system has not been compromised.

– As these systems become web-enabled, there is increasing concern that

they can be subject to compromises such as hacking, spoofing, etc.

– As these systems take up space within the network infrastructure, there is

increasing concern that network assets are becoming single points of

failure that can expose the whole organization to compromise.

– Finally, there is increasing concern that as the complexity of these physical

security systems increase, they can occupy increasing amounts of network

resources (bandwidth) and become a business limiter.

Convergence of Physical and Logical Infrastructure

Consider this diagram of a

network enabled CCTV

system spanning several

locations

Each element assigned an IP

Do these infrastructure points

allow for an attacker to control

the infrastructure point or gain

access through the

infrastructure point?


Solution Strategy

Build awareness and integrate Physical Security and IT Security communities

into a common Asset Protection community paying particular attention to

building a comprehensive awareness and capacity of personnel to work across

domains.

– Put forward a plausible vision

– Manage expectations

– Set achievable goals

– Maximize the ability to first anticipate then detect and respond to emerging

issues



Key Steps

Key Activities:

– A – Cross train personnel to build awareness

– B – Small scale projects to build and proof interaction between communities

– C – Ensure expert-driven contributions to improve effectiveness, reduce

waste and identify possible avenues of risk

Key Resources

– Visionary leadership

– Cross training up to cross certification integrated into job expectations

– Small scale test environment isolated from critical systems


Results

Security personnel more aware of situations that allow the means and

opportunity for threat agents to compromise the organization

Greater granularity of understanding of infrastructure at the enterprise level

Greater ability to achieve domain awareness in terms of facility security and

trend analysis through automation


Lesson #1: Manage Expectations

Just because technology exists doesn’t mean it’s appropriate to your

environment

– Security intrinsic to system commensurate to assets being protected

– Tested, certified, or accredited?

Put a check and balance on new technology acquisitions ensuring that they are

being proposed based on business lines

– New technology should be linked to improvements in business processes

or reductions in overhead

– Closely monitor communities that constantly attempt to install the “latest

and greatest”

Unnecessary collections of shiny things only attract trouble


Lesson #2: Set a Central Change Management Authority

Senior Management Support

– Early step in the consultation process

– Mandatory step in approval process

Check and balance for integration of new technologies

– Consistency (procurement, maintenance and disposal)

– Modularity to ensure granularity (detail) and interoperability (compatibility)

– Scalability in support of changing and evolving business requirements

Management of change means appropriately integrating tools to improve

efficiency and effectiveness


Lesson #3: Balance the Team

Do not allow Physical Security or IT Security to dominate

– Symbiosis under the need to ensure effective and efficient business

processes

– Take advantage of knowledge bases across communities to ensure best

possible solution

Appropriate Delegation

– Prevent decisions without understanding risk

– Ensure risk management includes consideration for all potentially impacted

parties (including system and data owners where appropriate)

Reinforce the concept of individual success is dependent upon team success


Lesson #4: Integrate Process Models for Integration

Similar to the COBIT Model

– Plan and Organize based on business needs and ensuring the ability to

prevent, detect, respond to and recover from security events

– Acquire and Implement to ensure that modularity and scalability

maintained while not exposing critical infrastructure to unknown risks

– Deliver and Support using personnel who understand physical and logical

risks so that internal actions do not create unknown vulnerabilities

– Monitor and Evaluate the performance of the system against system

performance criteria commensurate to the sensitivity of assets involved

Remember that process is there to serve a purpose, not to be the purpose


Lesson #5: Understand that Knowledge is Power

Awareness in Management of key issues

– What is real and what is visionary

Cross training of experts to minimize conflicts of ideologies and maximize

understanding

– Definition bases

– Core concepts and models

– Due diligence

Impose continuous learning and professional development

– Do not allow complacency

– When you’re green you’re ripe, when you’re ripe you’re rotten

You need to understand that administration, management and leadership are

complimentary but not the same thing


Contact Information

Bob Radvanovsky, CIFI, CISM, CIPS

[email protected]

Allan McDougall, PCIP, CMAS

[email protected]

mailto:[email protected]

ians-2008

Business