Business Process Security Model – better know to gAtO as “Aliens Hacked My Website Model”
What type of data are we attempting to secure. Internal/External, let’s look at the business process to better understand security in your company. Let’s take a look at the sale of a pencil model and the purchase of a pencil model. So the gAtO can have fun let’s remember every person in the food chains can be an “insider threat” –gAtO scary.
Customer orders a pencil.
- Order is taken
- Copy – Accounting – Sales – Inventory – Shipping
Company purchase a pencil
- Buyer –
- Select vendors
- Make contract -Management
- Buy Pencil – from China
- Copy – Accounting – Inventory – Shipping – Management
The basic “cyber business process model” when applied to a security assessment clearly define the security data points. Let’s look at this example and look at some of what we gained from the “Aliens Hacked My Website Model“
What does the business person think important about this process? Customer List – Vendor list – Financial Information – Legal (contrat – International laws). A security person may think, is the order for the pencil online, do I need a SSL connection. They may see an Access Control List (ACL) list as to who has access to financial information. Financial information is very sensitive and so is Legal, during International contract negotiations. The Shipping department or Inventory control department don’t need to see accounting and legal information. Sales may need to see some financial information (calculate pay-performance) and the Inventory department may need to see some legal aspect (contracts) to know when re-supplies are coming in. Compliance manager may need this to stay ISO standards compliant. Document everything.
So you can see that by taking a business process and looking at it from a security and business perspective together, it may help define what are the security points are and what needs mediation for a security solution. There is a lot more to gleam from looking at the SOP and then how security can help you be compliant. I will also point to the security aspect of people involved in every operation and what roles and rights to give to access data. This alone will help you with the problem of “insider threats” in a forensic investigation.
Here are useful advice for any organization from gAtO: Cyber Security advise:
- have a Incident Response Plan (IRP) -READY NOW!!!!
- Deploy defense-in-depth
- Check your Log’s
- Use a strict but flexible information security policy and practices
- Have regular audits of your security by an outside firm
- Use IDS or IPS
- Teach your staff about information security
- Teach your staff about social engineering
- Develop good Vendor relations
- Keep your software and hardware up to date -Patch control – Test every patch it may open more security holes.
- Watch security (Intelligence Team) sites for news on computer security and learn what the new attacks are. zero(0)day…xxs
- Have a disaster recovery plan ready
- Let your sysadmins go to Defcon.
- Get good sysadmins who understand security -pay them well
- Encrypt all your data (something like AES-256)
- Use spam filters
- Develop an Intelligence team to look at cyber chatter
- Keep an eye on what information you are letting out into the public domain
- Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?
PII (Personally Identifiable Information)
Privacy has been and will continue to be a hot topic; however, if you are an international organization, you definitely should watch for it on your radar.
While Information Security may consider privacy part of their jurisdiction, it should be the responsibility of Legal and HR. Information Security should be present to guide the protection of information, but should not own the compliance and/or business processes surrounding Personally Identifiable Information (PII).
With the E.U. Safe Harbor framework, many organizations are scrambling to understand what this means, and whether other countries will accept the standard (i.e., Germany), or whether the standard will accept them (sorry, Mexico). One idea which often is overlooked when discussing PII is the presence of a good Incident Response Plan (IRP).
Privacy regulations are very particular with regard to PII being leaked or breached. When performing a privacy assessment, be certain to allocate some of your budget to the development/update of your IRP.
ISO/IEC 27001 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
My 2© cents – gatoMalo_at_uscyberlabs_dot_com