Quick lecture on understanding information security in an organization

1. CIS 264 Week 1
Highline Community College
Dan Morrill

2.  Roles within the company
 Risks that are part of the regulatory landscape (SOX,
HIPAA, FERPA, PCI-DSS, etc.)
 Risks that are part of the business decisions
 Risks that are part of the technology decisions
 Risks that are part of the security decisions
 HIPAA requires a firewall, the business decides to
purchase CISCO because of an existing contract,
Technology purchases a Cisco 7600 with a firewall
module, security configures it to work on the network by
opening ports and allowing access to services

3.  Decisions for technological solutions will be made by
people who do not understand the technology
 Decisions for purchasing will be made by existing
contracts and discounts with IT providers
 Decisions might be locked in for years (Cisco,
Microsoft, Linux) because of those contracts
 And it is hard to swap out technologies, it is nearly
impossible for a Windows shop to go to Linux in its
entirety because of “lock in” with vendors
 You see this now with cloud computing, and the attempt
to avoid vendor lock in with any provider

4.  Point solutions are still popular in organizations
 Technology and security need to understand what needs
to be protected in the organization
 Technology and security need to understand the critical
assets for business continuity (the systems the company
needs to run to continue to do business)
 Every manager and executive thinks that their systems are
business critical and will make decisions about IT, Business
Continuity, and Disaster recovery based on that perception
 Businesses are highly political
 Don’t tell the VP you can’t do it, or won’t do it – they will
find a way to make it happen regardless of what IT says

5.  Technology and security need to identify every IT
solution in the company and how the interconnect to
each other to deliver services
 This includes new, old, vintage, and forgotten systems
and programs
 Some programs and systems will be orphaned in the
organization with no clear manager or maintainer
 Some users do not want their systems upgraded or
changed and will help kill new systems or changes
 Some managers do not want to lose what political power
they have – and will help kill new systems or changes

6.  Technology provides solutions to business
problems, business problems are based on the
perceived power of the people making those decisions
 What are the systems we need to protect
 Who uses them and how
 What are the risks we are trying to reduce
 What is the highest priority risks (this is heavily
influenced by power both actual and perceived within
an organization)
 Are you reducing risks in the most cost effective way?
 Heavily dependent upon politics and power within the
organization

7.  Risk = (threats x vulnerabilities) + (likelihood x impact) +
(politics + positional power in the organization)
 Risk is the probability of loss
 This means uncertainty and messy answers
 This means that the “risk” is open to political and positional
influence up and down the organization
 Risk is the possibility of a threat
 How likely is something to happen, how clever are the
hackers, how clever is IT and security?
 Risk is qualified (measured) by how likely something is to
happen to the systems
 This is prone to second guessing, and lack of imagination

8.  A vulnerability is the weakness that makes the
resource susceptible to the threat.
 A threat is anything capable of acting against a
resource in a manner that can result in harm
(intentionally or accidentally).
 The likelihood is a measure of how probable it is that
the threat/vulnerability pair will be realized.
 The severity is a measure of the magnitude of the
consequences that result from the threat/vulnerability
pair being realized for that resource.

9.  Likelihood:
 Critical (5) – Exposure is apparent through casual use or with publicly
available information, and the weakness is accessible publicly on the
Internet
High (4) – The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from being exercised
are ineffective.
Moderate (3) – The threat-source is motivated and capable, but
controls are in place that may impede successful exercise of the
vulnerability.
Low (2) – The threat-source lacks motivation or capability, or controls
are in place to prevent, or at least significantly impede, the
vulnerability from being exercised
Extremely Low (1) – The threat-source is part of a small and trusted
group, controls prevent exploitation without physical access to the
target, significant inside knowledge is necessary, or purely theoretical

10.  Severity:
 Critical (4) – May allow full access to or control of the
application, system, or communication including all data
and functionality
High (3) - May allow limited access to or control of the
application, system, or communication including only
certain data and functionality
Moderate (2) – May indirectly contribute to unauthorized
activity or just have no known attack vector. Impact may
vary as other vulnerabilities or attack vectors are identified.
Low (1) – May indirectly contribute to unauthorized
activity or just have no known attack vector. Impact may
vary as other vulnerabilities or attack vectors are identified.

11.  Risk Exposure:
 1 – 4 Low - May have some minor effect on the system, but likely little impact to the
organization overall. Recovering from such an impact will require minimal expenditures
and resources. A single issue, by itself, may not place the integrity, availability, or
confidentiality of a system at risk. Multiple issues in this category could be combined,
however, in an exploit attempt.
5–7 Moderate - May result in some tangible impact to the organization. The
impact could be narrow in focus and perhaps only noted by a few individuals or parts of
the organization. May cause organizational embarrassment. Recovering from such an
impact will require some expenditure and resources.
8 – 11 High - May cause an extensive system outage, and/or loss of customer or
business confidence. May also result in compromise of a large amount of the
organization’s information or services, including sensitive information. Recovering from
such an impact will require a substantial amount of expenditure, resources, and
time. These vulnerabilities should be taken seriously and addressed quickly.
12+ Critical - This level of risk exposure is unacceptable for any aspect of the
environment. It introduces a level of exposure that cannot be maintained over time. The
remaining categories may be acceptable depending on the risk tolerance range.

12.  Applied Risk Exposure:
 1–8 Low - Acceptable without review by
management
9 – 25 Moderate - Management must determine
whether corrective actions are required or decide to
accept the risk
26 – 39 High - Undesirable and requires corrective
action. A plan must be developed to incorporate these
actions within a reasonable period of time based on
the discretion of management.
40+ Critical - Undesirable and requires
immediate corrective action

13.  There are two primary approaches to information
security at this time
 Proactive
 Reactive
 Proactive – identify risks and vulnerabilities to systems
before hackers do, and take appropriate actions to
secure them and minimize risk
 Reactive – wait to get hacked, then take appropriate
measures and actions to secure them and minimize
risk

14.  Reactive information security has generally fallen out
of favor
 Most companies do a combination of reactive and
proactive security
 Patch updates
 Internal security testing
 If hacked – find the way they got in and fix it
 Reactive information security has a hard time scaling to
the organization because of the complexity of systems
being used and the number of ways that networks are
accessed
 BYOD complicates the matter of reactive because it is
very hard to define where the network boarder is

15.  Proactive information security is limited by:
 The imagination of people doing security risk management
 The skills of the employees who conduct information security
surveys of the network
 The support of management to fix problems (that might be
critical but costly) in a reasonable period of time
 “Security as a Cost Center” the perception of no real benefit to
the company because nothing bad ever happens
 Proactive information security is written into some
regulations by specifying that companies will accomplish
tasks like third party network evaluations, firewalls, and
other security systems as part of the companies operations

16.  One of the largest problems in information security is
that there are a large number of “unknowns”
 It is unknown to most companies, law enforcements,
and governments just how many vulnerabilities there
are out there
 There is a broad and complex market for “Zero Day”
vulnerabilities that are used by companies, criminals,
law enforcement and governments without notifying the
developer of those flaws
 Most companies cannot and do not belong in the
business of “zero day” research

18.  Hacks get more complex
 Hackers duration on the networks increases
 AV might not catch it all
 Firewalls and SEIM systems might not see it all
 Coders will never write unhackable code
 Systems are exposed everywhere there is a connection
 Open markets for vulnerabilities
 Slow OEM response at times to vulnerabilities

19.  You have to manage your networks, systems, access points,
user front ends, and everything else with what you know
 People in technology and/or information security that do not
constantly learn new stuff become obsolete within a year
 You have to work with an often dysfunctional organization
to learn to play politics to secure systems adequately
 You have to trust OEM’s to deliver a patch in time
 You have to trust your systems based on what they are
seeing
 And you have to get creative with your skills to keep your
networks safe