SESSION 803 Wednesday, November 4, 10:15am - 11:15am Track: Advancing ITSM

Transcription

1 SESSION 803 Wednesday, November 4, 10:15am - 11:15am Track: Advancing ITSM The Odd Couple: Marrying ITSM with Cybersecurity Timothy Rogers ITSM Consultant, Booz Allen Hamilton trogersmail@gmail.com Session Description Cyber-security has become a top priority for many IT organizations, but what does it have to do with ITSM? Quite a lot, actually. While the ITIL framework specifically addresses cyber-security via the information security management process as part of service design, it impacts all phases of the service lifecycle. This session explores the rapidly evolving world of cyber-security and provides a practical understanding of the many interfaces between cyber-security and ITSM, using real-world examples drawn from multiple frameworks, including ITIL, COBIT, ISO/IEC, and the CISSP Common Body of Knowledge. (Experience Level: Intermediate) Speaker Background Timothy Rogers is a consultant with Booz Allen Hamilton, specializing in ITSM, governance, and cybersecurity. A former CTO with more than twenty years of experience, he has worked with high-tech startups, financial services firms, and large government clients, including the US Navy. Timothy received his MA in international management from the University of California, San Diego, and he s an ITIL Expert and Certified Information Systems Security Professional (CISSP).

2 The Odd Couple: Marrying ITSM with Cybersecurity Timothy Rogers Speaker Bio Timothy Rogers, Consultant with Booz Allen Hamilton specializing in IT Service Management, Governance and Cybersecurity Former CTO with 20+ years experience spanning high tech startups, financial services, and government sectors Author of Ten Steps to ITSM Success: A Practitioner s Guide to Enterprise ITSM Transformation (itsmf USA and ITG Press) Holds Master's degree from the University of California - San Diego ITIL Expert Certified Information Systems Security Professional (CISSP) *Interesting fact: Lived and worked in Hong Kong and speaks some Mandarin Chinese. 2

3 PART I: Introduction to Cybersecurity (15 min.) Cybersecurity: Why Do I Care? Cybersecurity: What is It? Cybersecurity: Why is it Important to ITSM Professionals? PART II: Planning Linking ITSM & Cybersecurity (15 min.) The Anatomy of an Attack Risk Management Frameworks and Controls PART III: Doing It! Marrying ITSM & Cybersecurity (20 min.) Service Strategy Service Design Service Transition Service Operation Question & Answer (10 min.) Today s Agenda 3 Key Themes & Takeaways Understand cybersecurity risk and the anatomy of a cyber attack Know how to leverage frameworks and controls to ensure the Confidentiality, Integrity, and Availability (C.I.A.) of your organization s IT services and infrastructure Walk away with a methodology and examples for incorporating cybersecurity practices into the IT service management lifecycle 4

4 PART I INTRODUCTION TO CYBERSECURITY 5 Cybersecurity: Why Do I Care?

5 Cybersecurity: Why Do I Care? We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction e.g. SCADA, Stuxnet Gen. Michael Hayden, 04 Jun In December 2014 computer security experts reported that members of an Iranian organization were responsible for computer operations targeting US military, transportation, public utility, and other critical infrastructure ONI Director James R. Clapper We re all in this together Cybercrime constitutes the greatest transfer of wealth in history Gen. Keith Alexander Cybercrime-as-a-Service (CaaS), non-state actors, loosely coupled networks e.g. Zeus OPM Hack: Immediate family, close contacts, and references of current and former Federal employees, contractors, and job Candidates whose information was stolen Source:

6 Cybersecurity: What is It? Cybersecurity is NOT just Technical Solutions it is a holistic discipline that incorporates Risk Management = Security Resiliency Cybersecurity: What is It? Cybersecurity Domains Information Security Governance and Risk Management Access Control Security Architecture and Design Physical and Environmental Security Telecommunications and Network Security Cryptography Business Continuity and Disaster Recovery Legal, Regulations, Compliance and Investigation Software Development Security Security Operations

7 Cybersecurity: Why Important to Us? Cybersecurity is a Board-level responsibility, first delegated to CIO and Business Leaders, then (rest assured!) delegated to us. Bottom Line: We can t do ITSM without the ability to maintain C.I.A of our IT services! Good News: We know how to manage business and technology risk, and have always incorporated good practices into service design, delivery and support... The future is bright for service management professionals! Source: COBIT 5 PART II PLANNING LINKING ITSM & CYBERSECURITY 12

8 Anatomy of an Attack - Basic (i.e. ITSM Practitioner s Nightmare) Identify Target Identify Vulnerability Establish Beachhead Elevate Privileges Pwn the System! Social Engineering Metasploit Reconnaissance Sys Admin (Sys 32) Rootkit * Disrupt Services Steal Information Hold Hostage Impersonate Real Bad Things! Anatomy of an Attack - Example (e.g. SQL Injection + Cracked Passwords) Identify Target Open Source Hacking Identify Hunt for Execute Vulnerability Exploit Payload Social Engineering Kali Linux Metasploit MSSQL (SQL Inject) Meterpreter Establish Beachhead Elevate Privileges Execute Hashdump Crack the Hash Pwn the System! Reconnaissance Sys Admin (Sys 32) File Download John the Ripper Rootkit

9 The Risk Management Challenge Source: Raytheon websense Applying Frameworks and Controls

10 Controls (3) Types of Controls, and many are ITSM related: Management Technical Operational Source: NIST SP CM Controls (Real Project Example) Control # DCCB-2 DCCB-2 DCCT-1 DCII-1 DCPR-1 DCSL-1 DCSL-1 ECPC-2 Procedure Name Configuration Control Board IAM Membership on the CCB Compliance Testing IA Impact Assessment Configuration Management Process Source Code Libraries Access Source Code Libraries Access Production Code Change Controls 3 month Review

11 Cybersecurity Lifecycle Example: U.S. Navy Navy IA Technical Authority s Cybersecurity Continuum

12 Example: City of San Diego Source: Gary Hayslip, CISO City of San Diego PART III DOING IT! MARRYING ITSM & CYBERSECURITY 22

13 Resilience: Focus Business and IT! Source: Rick Lemieux, itsm Solutions A Promising Framework: RESILIA Source: Axelos

14 Cybersecurity Services Cybersecurity services are a critical part of any service provider s portfolio: Cybersecurity services include: Business (end user) services Technical services Functional support services Cybersecurity Services Authentication & Authorization Services Cross Domain Security Services Malware Detection & Prevention Services Information Projection Services Network Boundary Management Services Security Configuration & Management Services Security Event Management Services (Cyber) Functional Services Physical Security Services BC/DR Services File Removal Services Certification & Accreditation Services Information Security Training Services Service Strategy Cybersecurity Domains Information Security Governance and Risk Management Legal, Regulations, Compliance and Investigation

15 Service Design Cybersecurity Domains Security Architecture and Design Business Continuity and Disaster Recovery Cryptography Service Transition Cybersecurity Domains Software Development Security Telecommunications and Network Security

16 Service Operation Cybersecurity Domains Access Control Security Operations Physical and Environmental Security DevOps is Critical! Continuous Delivery Continuous Monitoring Continuous Improvement (CSI) Source: VMware

17 Two Additional Critical Pieces ANALYTICS TRAINING Conclusion: Key Takeaways Your organization WILL get attacked and they WILL get in. It is just a matter of when The Elimination of cyber threats, including threats due to insiders or negligence, is simply not practical or feasible... Embrace the concept of Cyber Resilience ITSM and Cybersecurity I think this is the beginning of a beautiful friendship Source: AXELOS

18 Key Objectives of Today s Session Understand cybersecurity risks and the anatomy of a cyber attack Know how to leverage frameworks and controls to ensure C.I.A. of your organization s IT services and infrastructure Walk away with a methodology and examples for incorporating cybersecurity practices into the IT service management lifecycle 33 QUESTION & ANSWER?

19 Thank you for attending this session. Session 803 The Odd Couple: Marrying ITSM with Cybersecurity Contact details: Timothy Rogers (858) Please don t forget to complete an evaluation form!