peter sandilands - australian information security association - compliance driven security,...
TRANSCRIPT
Compliance driven security, realistic or just aspirational?
Peter Sandilands
Vice Chair, Advocacy Group
Often evolves to an owning entity
• Governance, Risk and Compliance team – GRCOr
• Compliance Group – within Security
• Their job
• Their KPIs
• Their raison de etre
Often evolves to an owning entity
• Governance, Risk and Compliance team – GRC
• Their job
• Their KPIs
• Their raison de etre
Driven by Standards bodies• PCI SSC
• NIST
• FISMA -USA
Driven by advice providers
• APP
Driven by regulation
• ASD
• APRA
Strategies to Mitigate Targeted Cyber Intrusions
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
1 (1) Application whitelisting Essential
2 (2) Patch applications Essential
3 (3) Patch operating system
vulnerabilities
Essential
4 (4) Restrict administrative
privileges
Essential
Strategies to Mitigate Targeted Cyber Intrusions
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
1 (1) Application whitelisting Essential
2 (2) Patch applications Essential
3 (3) Patch operating system
vulnerabilities
Essential
4 (4) Restrict administrative
privileges
Essential
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
5 (18) User application configuration hardening Excellent
6 (new) Automated dynamic analysis of email and
web content
Excellent
7 (21) Operating system generic exploit
mitigation mechanisms
Excellent
8 (11) Host-based Intrusion Detection/Prevention
System
Excellent
9 (5) Disable local administrator accounts Excellent
10 (7) Network segmentation and segregation Excellent
11 (6) Multi-factor authentication Excellent
12 (8) Software-based application firewall,
blocking incoming network traffic
Excellent
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
5 (18) User application configuration hardening Excellent
6 (new) Automated dynamic analysis of email and
web content
Excellent
7 (21) Operating system generic exploit
mitigation mechanisms
Excellent
8 (11) Host-based Intrusion Detection/Prevention
System
Excellent
9 (5) Disable local administrator accounts Excellent
10 (7) Network segmentation and segregation Excellent
11 (6) Multi-factor authentication Excellent
12 (8) Software-based application firewall,
blocking incoming network traffic
Excellent
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
13 (9) Software-based application firewall, blocking
outgoing network traffic
Excellent
14 (10) Non-persistent virtualised sandboxed trusted
operating environment
Excellent
15 (12) Centralised and time-synchronised logging of
successful and failed computer events
Excellent
16 (13) Centralised and time-synchronised logging of allowed
and blocked network events
Excellent
17 (14) Email content filtering Excellent
18 (15) Web content filtering Excellent
19 (16) Web domain whitelisting for all domains, Excellent
20 (19) Block spoofed emails Excellent
21 (22) Workstation and server configuration management Good
22 (25) Antivirus software using heuristics and automated
internet-based reputation ratings
Good
23 (24) Deny direct internet access from workstations Good
24 (23) Server application security configuration hardening Good
Ranking 2014 (2012) Mitigation strategyOverall security
effectiveness
13 (9) Software-based application firewall, blocking
outgoing network traffic
Excellent
14 (10) Non-persistent virtualised sandboxed trusted
operating environment
Excellent
15 (12) Centralised and time-synchronised logging of
successful and failed computer events
Excellent
16 (13) Centralised and time-synchronised logging of allowed
and blocked network events
Excellent
17 (14) Email content filtering Excellent
18 (15) Web content filtering Excellent
19 (16) Web domain whitelisting for all domains, Excellent
20 (19) Block spoofed emails Excellent
21 (22) Workstation and server configuration management Good
22 (25) Antivirus software using heuristics and automated
internet-based reputation ratings
Good
23 (24) Deny direct internet access from workstations Good
24 (23) Server application security configuration hardening Good
Critical Security ControlsCSC # Control Description
1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 Email and Web Browser Protections 8 Malware Defenses 9 Limitation and Control of Network Ports, Protocols, and
Services 10 Data Recovery Capability
Critical Security ControlsCSC # Control Description
1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 Email and Web Browser Protections 8 Malware Defenses 9 Limitation and Control of Network Ports, Protocols, and
Services 10 Data Recovery Capability
Critical Security Controls - CIS
CSC # Control Description11 Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on the Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps
18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises
Critical Security Controls - CIS
CSC # Control Description11 Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on the Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps
18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises
Security Controls?
• Are these really Security controls?
• Looks more like good practice for running IT
Security vs Operations
• Usually separate departments
• Often separate reporting lines
• Depicted as us versus them – from both sides
Security vs Operations
• Usually separate departments
• Often separate reporting lines
• Depicted as us versus them – from both sides
• Compliance make s a third leg to the conflict
Guiding principles
• Have Operations run the infrastructure – following sensible practice
• Have Security provide the guidance on minimising the risk in good practice
• Have GRC monitor the effectiveness of both teams
Focus needs to be
•Meet the business requirements
•Do so with an acceptable level of Risk
•Compliance initiatives should be a guide to healthy practices