Compliance vs Competence: Cyber Security Management for Data Centers. Dr. Suku Nair University Distinguished Professor and Chair, SMU

Transcription

1 Compliance vs Competence: Cyber Security Management for Data Centers Dr. Suku Nair University Distinguished Professor and Chair, SMU

2 Cyber Landscape Technology Trends Organizations /Nation States Social Trends Business Trends Security Technologies Skilled Attackers Objectives Obstruction/T heft Political Trends Highly Targeted

3 Landscape Closer Look Technology Speed of evolution New engines on old chassis Cloud, mobility, convergence Social Facebook has over 1.3 billion users! Privacy Social Engineering Cognitive cyber Business Big Data, Internet of things, BYOD IP theft biggest transfer of wealth in human history 3D printing Politics Reverse engineering and cloning National and International Cyber Warfare

4 Anatomy of Attack Zero-day Spear-phishing Known vulnerabilities System Exploitation Malware Transfer Key logger Trojan backdoor Password cracker File grabber Criminal server contact Replication and disguise Antivirus disabled Control Established Data Exfiltration FTP or HTTP protocol Encryption to avoid detection Disguise identities and location Target additional systems Gain elevated permissions Self-replication Lateral Movement Fireeye. From Target to Aggressor: How Data Centers are Becoming Unwitting Accomplices in Advanced Cyber Attacks

5 Cyber Program Implementation NIST. Managing Information Security Risk: Organization, Mission, and Information System View. 2011

6 Risk Matrix

7 Risk Handling Decision Points Threat Source System Design Flaw or weakness? YES Can be exercised? YES Vulnerability Exists & NO NO No Risk No Risk Mission Impact? YES Risk Exists Attacker s Cost < Gain YES Loss Anticipated > Threshold YES Unacceptable Risk NO NO NO No Risk Risk Accept Risk Accept

8 NIST Special Publication Security supports mission of organization; is an integral element of sound management Security should be cost-effective; owners have security responsibilities outside their own organizations Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach Security should be periodically reassessed; security is constrained by societal factors 33 Principles enumerated

9 Design of Security Architecture Defense in depth Implementation of security in layers Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls Security perimeter Point at which an organization s security protection ends and outside world begins Does not apply to internal attacks from employee threats or on-site physical threats

10 Security Awareness One of least frequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users minds Need not be complicated or expensive If the program is not actively implemented, employees begin to tune out and risk of employee accidents and failures increases

11 Off-Site Disaster Data Storage To get sites up and running quickly, organization must have ability to port data into new site s systems Options for getting operations up and running include: Controller based Fabric based Server based Application based

12 Secure Data Center Requirements Site selection Utilities Building design Mechanical/Electrical systems Facility security and monitoring Construction monitoring Electromagnetic pulses Cleaning

13 Security Audit Standards SAS 70 SSAE 16 SOC 2 SOC 3

14 Cyber Situational Awareness