Define an InfoSec Program for Quick Launch

Define an InfoSec Program for Quick Launch James Cusick, PMP Director IT & CSO, CT Corp (CLS) Boston Defining a Security Program Setting Goals and Getting Started Engaging the Full Community BP 60 1

Version 1.0

Agenda







2

Introduction Security Imperative & Program Origins Assembling the Program Details of the Program Secure Software Development Closing

Session Objectives
At the end of this session, you will be able to: 1. Understand a practical business grounded security program 2. Leverage the approach used by CT to jumpstart a security program of your own 3. Explore the appropriate governance model for a security program 4. Implement a security response function 5. Implement a security risk tracking approach 6. Discuss differing security standards 7. Apply tools for scanning software code to uncover security vulnerabilities 8. Consider secure SDLC frameworks

3

Presenter James Cusick Director IT CT Operations Center & CSO CLS/CT Corp

4

James is responsible for leading CT’s Operation Center which provides product support to customers. The team also provides business analysis support, operations project management, and platform engineering. James is also the Chief Security Officer for CT Corp. In this role James is responsible for defining and managing CT’s Information Security program which encompasses overall security as well as technical security. His recent work in this area is the subject of this talk.

SECURITY IMPERATIVE & PROGRAM ORIGINS The “why” and “whence” 5

I’ll Know Security When I See It (IT?)
There are too many examples of security breaches and hacks – Target Breach, a classic anti-pattern of security management: • 40 million credit cards and PII on 70 million customers stolen • InfoSec team disabled FireEye which catches such malware attacks in realtime as they were not confident in the tool and ignored alerts • The company was also very slow to respond and communicate

– Many other serious attacks have occurred recently: • Heartland Payment Systems: 134 million credit cards exposed through SQL injection to install spyware • RSA Security: Possibly 40 million employee records stolen • Sony's PlayStation Network: 77 million PlayStation Network accounts hacked; Sony lost millions while the site was down for a month

– Attacks are up 45% over the last year (according to the FBI)

6

The Business Context
A Call to Action – It is now an essential requirement of every company to have an adequate and effective security program which includes an Information Security strategy (think WK vs your division)


Who is CT? – CT Corp is an operating unit of WK’s Corporate Legal Services – We support thousands of customers with their legal services needs especially in the area of agent representation, corporate governance, and related areas


The role of security for CT – Our customers demand high security around the services we provide and security can be a competitive advantage – CT also needs to ensure protection of its staff and information assets for its own purposes 7

The Original Objectives

8

Defining the Program Structure

Technical Requirements

•What is value statement for the business? •Establish governance model with stakeholder reviews •Obtain Executive sign off on any specific C&G level policies

•Establish a CSIRT to respond to incidents, resolve them, report to management. •Design in security needs to systems and operations •Develop standards and compliance goals (ie, SSAE 16 controls, ISO27000 compliance)

Other Requirements •Coordinate with GSS Global Security Office and CLS Security/Audit •Monitor and manage security risk for the company •Responsible for employee awareness of security

ASSEMBLING THE PROGRAM Research, Ramp-up, Design, Review 9

Getting a Program Together
After my head stopped spinning …
I did what I always do when faced with a challenge – – – – –

Think Reflect Call a friend Hit the Google Start planning & writing


A Security Program, it turns out, is not so different than other IT programs

10

First Things First
Getting Ramped-up – Researching current state of the security world – Like most things it is broad and deep


Tapping into WK SMEs – Head of central WK Security – Head of Divisional Security – Other internal security experts

11


Tapping into external Colleagues – A former security consultant CISSP – A former VP of security research


Vendors and Conferences – Cigital sales meetings and SOW development – Oracle’s CSO Advisory Board and product training – Japan Society panel discussion on Cybersecurity – CT Tech Forum on OWASP

What were the Key Lessons? 1. 2. 3. 4. 5.

6.

12

Understand risks, then develop plans to manage risks Need to win over the hearts and minds of staff around risks Staff training has highest ROI of all activities Classify what information is vital to the business in tiers Security as enabler not a cost, work to support business success not to stop operations Assessment is a good starting point, understand your gaps

7.

Embed CSIRT into standard incident management 8. CISSP mile wide and inch deep, Black Hat Boot Camp is superior 9. Attack vectors are multiplying: air-conditioners, rice cookers … 10. As high value targets are hardened, hackers will go after others

Developing the Program Plan
After reading several security program plans drafted a comprehensive program plan
Core Program Document Contents: – – – –

Goals, Mission, Scope Governance Structure InfoSec Function InfoSec Monitoring and Reporting


INFOSEC focuses on the protection of defined corporate information assets at an effort and cost proportional to the risk of losing them or having them exposed. 13

Building From WK Security Policies
There is a WK security policy – All employees are required to take the security awareness training – All employees are expected to comply with the corporate security policy


The CT approach is to reinforce and extend this policy – – – – –

14

Executive involvement Coordinated planning around agreed goals Supporting the business (ie, marketable standards compliance) Secure development practices to prevent breaches Deepening security awareness

Key Steps in Establishing the Program 1. Frequent collaboration with CTO on program development 2. Eventual kick-off meeting with GM (Exec Sponsor) 3. 1-on-1 pre-rollout discussions with council members – Nemawashi (根回し): Informal process of quietly laying the foundation for some proposed change or project, by talking to the people concerned, gathering support and feedback

4. 5. 6. 7.

15

Council charter announcement by CTO Detailed program introduction to IT staff Briefings with other IT development partners on program Preparing for broader communications with support of ISC (InfoSec Council)

DETAILS OF THE PROGRAM The Piece Parts 16

CT Info Security Council Structure
ISC Members represents all areas of the business
The ISC oversees the Security Program and reviews risks and priorities with the CSO
Internal and External Audit are participants in the process
In future broader representation is foreseen through a network of “security liaisons” throughout the organization 17

Future Role

The Risk Registry (an ISO 27000 approach)

Fictitious Examples

18

The CSIRT
The Computer Security Incident Management Team provides for response, resolution, and management of security incidents
Within CT we manage production incidents through an IRT process (Incident Response Team)
This provides a tool, a team structure, and a process for resolution, escalation, communication and more
To establish the CSIRT we leveraged the existing IRT, this required informing IRT members of the change and updating the ticket interface (see screen shot)
During the 1H2014 we had 2 significant security events and the CSIRT was put to use: the OpenSSL/Heartbleed bug and the IE/Adobe vulnerability. The CSIRT handled both rapidly and fully

19

CT Security Standard Roadmap Thinking • Currently SOC 1 compliant • SOC 2 & ISO 27001 gap assessment 2H2014 • SOC 2 Type 1 assessment 2015 • (security, availability, processing, confidentiality)

• ISO 27001 compliance OR certification • In conjunction with SOC 2 • Or following SOC 2

20

Assessment

SOC 2 Type 1

ISO 27000

4Q2014

2015

2016

CT Core Vendor Standards Compliance
Dell – SSAE 16 and ISOIEC 27001 compliant


The Digital Group – SSAE 16 and ISO/IEC 27001:2005


HCL – ISO/IEC 27001:2005 – SSAE 16 SOC 1 type II Report - Facility Level Controls – SSAE 16 SOC 1 Type 2 Report – for WK services


TCS (Tata Consultancy) – ISO 27001 Certified

21

SECURE SOFTWARE DEVELOPMENT Understanding the Need and Evolving the Practice 22

Cigital’s Secure SDLC Model

23

First Steps Infusing Security into Agile SDLC
Requirements – Calls for development of clear specifications around security needs and platform capabilities


Code Scanning – – – –

Need to identify a tool (i.e., VCG, IBM AppScan Source, CheckMarx) Insert step within each Scrum or at final pass to scan code Institute code corrections when vulnerabilities found Anticipate team will learn best practices of secure coding over time


Security Testing – Develop security oriented testing off of requirements – Create malicious hacking cases to stress applications


More Regular Penetration Testing

24

Scanning the Code Base
Understanding the vulnerabilities resident in the code base is a critical first step in determining exploitable risks
In February a code scan was done on 3 MLOC using Visual Code Grepper which is an open source tool available from Source Forge: – http://sourceforge.net/projects/visualcodegrepp/files/?source=navbar


There were a large number of “hits” that came out of the scan
The findings were of many categories including coding standards, debug mode in production, and various other warnings. None were above medium in severity.
The findings were provided to the development team who carefully reviewed them and developed plans to address the ones that required attention. Some were not seen as issues and were ignored (i.e., warnings about passwords when a variable was called “password”). 25

CLOSING Summary and Next Steps 26

Bringing it All Together

27

Action Plan / Next Steps Questions?


Consider the following initial steps – – – – – – –

28

Research security trends and standards Develop security program objectives Touch base with people in the field Create stakeholder buy-in especially from business Assess key gap areas and develop action plans An overall program plan is recommended Avoid trying to boil the ocean, slice the problem into manageable pieces for near, middle, long term

?

Contact Information James Cusick Director IT CT Operations Center & CSO CT Corp Corporate Legal Services New York, NY

29

[email protected]

APPENDIX Additional Notes 30

Security as Strategic Element for the Business
Information Security provides critical benefits to the business: – Protection of company and customer information assets – Assistance in winning customer business especially in highly regulated industries like banking, finance, and insurance – Reduction in liability due to information leaks or intrusions – Compliance with Wolters Kluwer required security policies


The intention of the CT Corp Security Program was to include: – – – – –

31

Reducing risks to the business stemming from INFOSEC gaps Protecting the CT Corp brand as being reliable and trustworthy Supporting business expansion by meeting customer security requirements Supporting competitiveness through the protection of intellectual property Improving efficiencies by reducing cyber attacks and required responses

Critical Success Factors 1. 2.

3. 4. 5. 6. 7.

32

Top down management involvement and sponsorship Rely on the experts to help you get up to speed, they are more than willing to give you a hand Enable the business, boost customer win capabilities Create a wide supporting coalition Build enthusiasm not rules Communicate and over communicate Put a stake in the ground early, get small wins, and build momentum

Cigital’s Security Program Framework

33

Microsoft’s Security SDLC Model

https://www.microsoft.com/security/sdl/default.aspx?mstLocPickShow=True 34

References
Reference/Standards Sites – Open Web Application Security Project (OWASP) • Web Application Security Consortium(WASC)


Lifecycles and Presentations – Microsoft Secure Software Development Lifecycle •

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=12285

– Building Security Into The Software Life Cycle, Blackhat • http://www.blackhat.com/presentations/bh-usa-06/bh-us-06-MoranaR3.0.pdf

– McAffe on Secure Software Development •

http://www.mcafee.com/us/resources/data-sheets/foundstone/ds-secure-software-dev-life-cycle.pdf


Tools – Visual Code Grepper from Source Forge: •

35

http://sourceforge.net/projects/visualcodegrepp/files/?source=navbar