chuan weihoo_iisf2011
DESCRIPTION
TRANSCRIPT
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Critical Infrastructure Protection (CIP)
Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE
Volunteer Speaker, (ISC)²
Security Architect at Business Continuity & Security
Governance, British Telecom Global Services www.isc2.org
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Agenda
• Introduction
• Current State Of Play
• Back To Basics
• Practical Approach
• Minimum Controls
• Q & A
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
CIP – Introduction*
Entertaining, funny or scary ??? * Source from Youtube.com
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Current State Of Play – Recent Failures
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Current State Of Play – Past Failures
Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character -
Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was
suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted
for his job.
Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off
the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras.
With the power gone, the dinosaurs began escaping from their pens and started killing people.
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
…Possible causes
• Lack of segregation of duties?
• Complacency? …contended self-satisfaction
• Lack of visibility?
• Lack of privileged access management?
• Single-point-of-failure (SPOF)
• Ineffective patch management?
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Back To Basics
• CIP
– The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc)
– Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, or facility-based processes.
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Practical Approach
• “Outside-in” versus “Inside-out”
Asset
Physical
Logical
Procedural
Technology Asset (sub-
components)
Physical
Logical
Procedural
Technology
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Outside-in
• Explore all possible threats to the asset; no breakdown of the asset
• Access the potential impact and likelihood of each threat
• Determine the mitigating control to each threat
• Design and build the controls for protection
Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats.
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Inside-out
• Identify the asset; classification and categorization
• Explore all possible threats to each categorization
• Access the potential impact and likelihood of each threat
• Determine the mitigating control to each threat
• Design and build the controls for protection
Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach.
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Minimum Controls
• Executive management support
• Thorough understanding/knowledge
– Business
– IT (full inventory - everything)
– Operations (supported by IT)
• Regular comprehensive review
– Identify SPOF
• Continuous self assessment
– Applicable control for tomorrow’s threats
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
…Management wise
• So what should we do?
– Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people)
– Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR)
– Acquire the necessary training (training, certification)
– Define detail SOP (framework, standards e.g. ISO/IEC27001:2005)
– Governance review committee (you chair the committee, using reference from a reputable source)
– Put in measurements (measureable):
• Key risk indicators
• Key performance indicators
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
• There’s no silver bullet to the problem, only mitigating controls to minimize the risk.
• Know where are your asset; information & infrastructure
(was and is).
• Review and enhance your existing design and plans.
• Review and enhance your existing controls to protect your information asset.
• Continue to educate the end-users and raise awareness
(most critical).
Key Messages
#IISF2011
Click to edit Master title style
© Copyright 1989 – 2011, (ISC)2 All Rights Reserved © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
Thank you!
#IISF2011