Chuan weihoo_IISF2011
0 likes375 views
The document discusses critical infrastructure protection (CIP). It outlines recent and past failures of CIP and possible causes. It then discusses taking a practical "inside-out" approach to CIP that involves identifying assets, exploring threats to each type of asset, assessing impacts and likelihoods, and determining controls. Key messages are that there is no single solution; organizations must know their assets, review existing plans and controls, and continue user education.
Chuan weihoo_IISF2011
- 1. Critical Infrastructure Protection (CIP) Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE Volunteer Speaker, (ISC)² Click Architect at Business Continuity & Security Security to edit Master title style Governance, BritishTelecom Global Services www.isc2.org #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 2. Agenda • Introduction • Current State Of Play • Back To Basics • Practical Approach • Minimum Controls • Q&A Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 3. CIP – Introduction* Click to edit Master title style Entertaining, funny or scary ??? * Source from Youtube.com #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 4. Current State Of Play – Recent Failures Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 5. Current State Of Play – Past Failures Click to edit Master title style Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character - Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted for his job. Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras. With the power gone, the dinosaurs began escaping from their pens and started killing people. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 6. …Possible causes • Lack of segregation of duties? • Complacency? …contended self-satisfaction • Lack of visibility? • Lack of privileged access management? • Single-point-of-failure (SPOF) • Ineffective patch management? Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 7. Back To Basics • CIP – The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc) – Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, Click to edit Master title style or facility-based processes. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 8. Practical Approach • “Outside-in” versus “Inside-out” Physical Physical Asset (sub- Technology Asset Logical Technology components) Logical Click to edit Master title style Procedural Procedural #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 9. Outside-in • Explore all possible threats to the asset; no breakdown of the asset • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 10. Inside-out • Identify the asset; classification and categorization • Explore all possible threats to each categorization • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach. #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 11. Minimum Controls • Executive management support • Thorough understanding/knowledge – Business – IT (full inventory - everything) – Operations (supported by IT) • Regular comprehensive review – Identify SPOF Click to edit Master title style • Continuous self assessment – Applicable control for tomorrow’s threats #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 12. …Management wise • So what should we do? – Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people) – Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR) – Acquire the necessary training (training, certification) – Define detail SOP (framework, standards e.g. ISO/IEC27001:2005) – Governance review committee (you chair the committee, using Click to edit Master title style reference from a reputable source) – Put in measurements (measureable): • Key risk indicators • Key performance indicators #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 13. Key Messages • There’s no silver bullet to the problem, only mitigating controls to minimize the risk. • Know where are your asset; information & infrastructure (was and is). • Review and enhance your existing design and plans. • Review and enhance your existing controls to protect your Click to edit Master title style information asset. • Continue to educate the end-users and raise awareness (most critical). #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved
- 14. Thank you! Click to edit Master title style #IISF2011 © Copyright 1989 – 2011, (ISC)2 All Rights Reserved