PHYSICAL SECURITY VS. CYBER SECURITY A �How-to� Guide for Getting

PHYSICAL SECURITY VS. CYBER SECURITY: A “How-to” Guide for Getting Along Pat M. Darienzo, CISSP Director, Network & Systems Security North Shore – LIJ Health Services June 5, 2008 New York State Cyber-Security Conference Albany NY True Life Scenario #1: Event: There is a break-in at a company location . . . Physical Security Responses • Contact local law enforcement • Interview witnesses • Review logs / surveillance tapes • Report to Legal / Claims • Submit detailed report to upper management • Look for “Lessons Learned” Cyber Security Responses True Life Scenario #2: Event: A Laptop is Missing . . . Physical Security Responses Cyber Security Responses • Speak with owner • Review IP / access logs • Determine what type of data was on machine • Submit Breach Notification (if necessary) • Submit summary report to Asset Management • Replace client’s laptop Converged Physical Security Responses Organization Cyber Security Security Response Responses Security What is Security Convergence? “The true meshing of physical security, cyber security and business continuity management, putting an organization in a position to make security a functional strategy and a business opportunity.” What it IS: Integrating historically stovepiped functions of operational risk management to achieve better security, oversight of enterprisewide risk and cost efficiencies. What it ISN'T: Putting IT security under the thumb of the physical security group, or vice versa. Creating one big “cost center” out of several smaller ones. It’s all in how you present it… Used with permission Don’t think “Convergence”. . .      Wouldn’t it be great if the physical security, cyber security and risk areas could all work more closely for efficiency? Wouldn’t investigations be easier? Does the risk justify the cost and effort of this? “If you’re doing that, you probably want to get those guys involved…” Corporate Security needs to keep IT in the loop regarding incidents that involve IT assets; IT needs to support Physical security technologies (CCTV, Mustering reports, Remote DVRs, etc.); Risk Management needs to guide both in terms of acceptable levels of risk The Primary Split  Logical Security: associated with protection of information systems or “computer security” where data is logically grouped, protected and presented as one system, but may exist in physically disparate locations. Physical Security: customarily associated with the tangible physical components of a protection system such as locks and alarms and the associated disciplines that protect them. Each group has skills and expertise that should complement but often conflict with that of the other group.   The BIG difference: • When a physical asset has been stolen . . . . . . it’s usually missing! • When an information asset has been stolen . . . . . . it’s usually still there! The Facts  In 2006, North American companies spent over $1.7 billion on converged projects, five times what was spent in 2005 (Forrester Research)   It is often the lack of cohesion and information sharing that criminal groups exploit when they decide to target a business Metrics become fuzzy when dealing with risk avoidance and cost avoidance Convergence Drivers     Rapid expansion of the enterprise environment Recognized migration from physical to information-based and intangible assets New protective technologies blurring functional boundaries New compliance and regulatory issues • SOX, GLBA, HIPPA, ISO17799, BS 7799, FIPS 201   Continuing pressure to reduce cost Physical and Virtual vulnerabilities pose the same threat and should be treated similarly • “Criminal Convergence” Criminal Convergence      1986: Teenager hacks into major US banking system & transfers funds (NY) [>$10K] 1993: Fake Yankee 24 ATM in a CT shopping mall [>$3K in one day] 2003: 55 Fake ATMS in CA, FL and NY [>$3.5M from 21,000 accounts] 2007: Stop & Shop EFT machines [$unknown] Latest: ATM Skimmers – “The Perfect Blend” The Perfect Blend The Perfect Blend The Perfect Blend The Perfect Blend The Perfect Blend “Holistic” Security  What seems obvious to one group may be outside of the other’s sphere of experience, resulting in     Poor communications Lack of understanding of risks and impact Duplication of efforts Wasted resources  Physical & Logical Security groups need to bring their disparate skill sets together for a common purpose – protecting the enterprise Security as a Strategic Process Benefits • Saves security budget dollars • Increases efficiency    • Streamlines incident response  Centralized risk management Combined monitoring Better detection and tracking Better information sharing • CSO functions as single point of contact   • IT Security becomes less of an “optional” choice  Provides oversight for all security issues Increased value to the company as scope includes physical & information security, risk management and business continuity Embeds security and risk management into business processes and executive decision making • Raises security awareness • Cross training creates motivated employees • Consistent policies across the enterprise Security as a Strategic Process Tradeoffs & Obstacles • Culture clashes     Seasoned law-enforcement pros vs. younger techies Old procedures vs. new technologies Need-to-know vs. high visibility cultures Salary differences • “Jocks vs. Geeks” • Feelings of loss of control • Lack of understanding issues at executive levels • Notion of a large “cost center”  Seen as an obstacle that muddies the waters • Seen as “Big Brother”  • Cross-Training funding will be required Sees all, knows all, controls all The “Competitors” Physical Security Typically drawn from law enforcement or military Reports to Facilities, Administration, or HR Frames issue as protection of people, facilities, operations IT Security Typically drawn from technology ranks Reports to CIO or IT Operations Frames issue as availability, integrity, confidentiality of information and systems Values creativity and technology innovation Contribution is continuity, availability, and integrity of IT capacity & technology Financial Security Typically drawn from financial community Reports to CFO Frames the issue as “Risk Management” Values authority and command Contributes prevention skill sets Values financial efficiency and loss prevention Contribution is regulatory compliance and quantitative rigor Separation of Duties Issues  In most companies IT Security reports to the IT area • Makes sense on the surface, but…  As a result, the IT Department is watched by IT Security who reports to. . . the IT Department! • Are these good internal controls? • Possible conflict of interest  IT Security may function better in the Risk Management arena…NOT Technology • IT Security should function as a consultant to IT who maintains and fixes problems “Convergence Engineering”  A strategic approach to solving the technical problems associated with the integration of logical & physical security Driven by: • • • FIPS-201 under Presidential Directive HSPD-12 developed by NIST Increased security functionality   Ex: Physical presence in building required before login Synergy savings Strategic technical implementations Cost savings    Focuses on technical not “people” issues. Security Convergence Checklist  • •   Appoint a strong Chief Security Officer – You? Obtain executive management support of a converged security organization Prepare IT security and physical security groups for merger Primarily a law enforcement/legal background IT skills (or familiarity) a plus • • •   • Co-locate groups - mingling if possible Encourage information sharing between the groups Critical to the success of the new organization Expect reluctance, skepticism and resistance Point out benefits of working together Define scopes of responsibility as well as areas of cooperation Security Convergence Checklist      Look for investigations/projects that can involve representatives from both areas of expertise Reward and recognize efforts as a team Meet regularly with managers of each area to resolve difficulties and explore opportunities After one year, assess and report to upper management the benefits and resulting efforts of the combined group Reconfirm executive management’s support of the converged security organization Points to Remember  Be flexible • The converged structure and function is not cast in stone  Don’t focus primarily on consolidation and cost reduction • • • Must take cost avoidance into account There are always tradeoffs  Better security = increased cost Who decides what is considered acceptable risk?  CSO? CIO? CFO?  Look to create an oversight-oriented business function with the operational functions under its direction Threats to a Converged Organization     A repeatable model for a totally converged centrally managed organization has yet to be successfully implemented and maintained. Experience has shown that most converged departments lead to a loss of efficiency, effectiveness or to utter failure. Because of the major differences in their backgrounds, the teams of a converged organization are most often driven apart by culture clashes and salary issues. Risk and cost avoidance must be recognized for their value, because unless there is clearly identifiable savings and defensible metrics showing security improvements, the converged organization is likely to lose executive management support. The “S” Word – Synergy Some Key Opportunities:  Access control, “Common Card” systems • DoD’s Cross Credentialing Project  Log monitoring  In-house IP video surveillance and DVR recording  Computer acquisition and forensics • Investigations are often prime driver  Employee termination and de-provisioning  Theft of computer assets  Theft of electronic data • Breach Laws  Chain of custody and legal issues  Physical safety risks  Security Awareness initiatives Conclusions    There is no one-size-fits-all template for convergence Convergence should be initiated slowly and in phases only to the degree that seems logical for an individual company or department At its best, “convergence” may just be a series of co-operative efforts that involve areas of commonality for both disciplines: • Enterprise-wide common credential card systems • Access log monitoring • Incident response   Investigations Forensics Additional Information  www.opensecurityexchange.org • Promoting the Interoperability of Physical and Logical Security. . .  Deloitte & Touche 2006 Global Security Survey (released: June 15, 2006) http://www.deloitte.com/dtt/cda/doc/content/us_fsi_150606globalsecuritysurvey%281%29.pdf  D&T Conclusions:  Despite all the hype, convergence…  is not here yet  is not a critical priority for companies  Of 150 companies surveyed: Only 21% have any convergence Only 4% will address in next 12 months Only 7% will address in next 24 months References       _____, “Special Report: Convergence; Next Generation," CSO, (April 15, 2005), p. 19+ Anonymous, “To Converge (and Back)," CSO, (January, 2006), p. 50 Brown, Jennifer, “Meet Mr. Convergence," Canadian Security, (January, 2006), p. 16 Staff writers, “CSO Fundamentals: ABCs of Physical & IT Security Convergence”, CSO Online, URL# http://www.csoonline.com/ fundamentals/abc_convergence.html ______, “Security Convergence,” CIO World News, (February 13, 2006), URL#http://www.cio.de/news/cio_worldnews/818278/ index1.html J.R. Reagan, BearingPoint, “Security & Privacy: Cost, Complexity & Compliance Issues for State Governments,” NYS Cyber Security Conference, (June 15, 2006) References      Sarkar, Dibya, “Two Converging Worlds: Cyber and physical Security," FCW.com, (December, 2004), URL# http://www.fcw.com/article84751-12-12-04-Print _____, “Fake ATM plays Gotcha with Users”; Boston Globe, (May 12, 1993) Scalet, Sarah D., “ALARMED: Bolting on Security at Stop & Shop”; CIO, (March 21, 2007), Tyson, Dave, “The Meaning of Convergence”; Security Convergence and Managing Enterprise Security Risk, Butterworth Heinemann; 2007 Koffel Associates Inc., “Convergence Engineering” URL# http://www.koffel.com/Convergence%20Engineering.pdf Questions?