PHYSICAL SECURITY VS. CYBER SECURITY: A Howto Guide for Getting Along

1
PHYSICAL SECURITYVS.CYBER SECURITYA How-to
Guide for Getting Along
June 5, 2008 New York StateCyber-Security
Conference Albany NY
Pat M. Darienzo, CISSP Director, Network
Systems Security North Shore LIJ Health
Services
2
True Life Scenario 1
Event There is a break-in at a company location
. . .

• Contact local law enforcement
• Interview witnesses
• Review logs / surveillance tapes
• Report to Legal / Claims
• Submit detailed report to upper management
• Look for Lessons Learned

3
True Life Scenario 2
Event A Laptop is Missing . . .

• Speak with owner
• Review IP / access logs
• Determine what type of data was on machine
• Submit Breach Notification (if necessary)
• Submit summary report to Asset Management
• Replace clients laptop

4
ConvergedSecurity Response
ConvergedSecurity Organization
5
What is Security Convergence?

• The true meshing of physical security, cyber
  security and business continuity management,
  putting an organization in a position to make
  security a functional strategy and a business
  opportunity.

What it IS Integrating historically stovepiped
functions of operational risk management to
achieve better security, oversight of
enterprise-wide risk and cost efficiencies.
What it ISN'T Putting IT security under the
thumb of the physical security group, or vice
versa. Creating one big cost center out of
several smaller ones.
Its all in how you present it
6
Used with permission
7
Dont think Convergence. . .

• Wouldnt it be great if the physical security,
  cyber security and risk areas could all work more
  closely for efficiency?
• Wouldnt investigations be easier?
• Does the risk justify the cost and effort of
  this?
• If youre doing that, you probably want to get
  those guys involved
• Corporate Security needs to keep IT in the loop
  regarding incidents that involve IT assets IT
  needs to support Physical security technologies
  (CCTV, Mustering reports, Remote DVRs, etc.)
  Risk Management needs to guide both in terms of
  acceptable levels of risk

8
The Primary Split

• Logical Security associated with protection of
  information systems or computer security where
  data is logically grouped, protected and
  presented as one system, but may exist in
  physically disparate locations.
• Physical Security customarily associated with
  the tangible physical components of a protection
  system such as locks and alarms and the
  associated disciplines that protect them.
• Each group has skills and expertise that should
  complement but often conflict with that of the
  other group.

The BIG difference

• When a physical asset has been stolen . . .
• . . . its usually missing!

• When an information asset has been stolen . . .
• . . . its usually still there!

9
The Facts

• In 2006, North American companies spent over 1.7
  billion on converged projects, five times what
  was spent in 2005 (Forrester Research)
• It is often the lack of cohesion and information
  sharing that criminal groups exploit when they
  decide to target a business
• Metrics become fuzzy when dealing with risk
  avoidance and cost avoidance

10
Convergence Drivers

• Rapid expansion of the enterprise environment
• Recognized migration from physical to
  information-based and intangible assets
• New protective technologies blurring functional
  boundaries
• New compliance and regulatory issues
• SOX, GLBA, HIPPA, ISO17799, BS 7799, FIPS 201
• Continuing pressure to reduce cost
• Physical and Virtual vulnerabilities pose the
  same threat and should be treated similarly
• Criminal Convergence

11
Criminal Convergence

• 1986 Teenager hacks into major US banking system
  transfers funds (NY) gt10K
• 1993 Fake Yankee 24 ATM in a CT shopping mall
  gt3K in one day
• 2003 55 Fake ATMS in CA, FL and NY gt3.5M from
  21,000 accounts
• 2007 Stop Shop EFT machines unknown
• Latest ATM Skimmers The Perfect Blend

12
The Perfect Blend
13
The Perfect Blend
14
The Perfect Blend
15
The Perfect Blend
16
The Perfect Blend
17
Holistic Security

• What seems obvious to one group may be outside
  of the others sphere of experience, resulting in
• Poor communications
• Lack of understanding of risks and impact
• Duplication of efforts
• Wasted resources

• Physical Logical Security groups need to bring
  their disparate skill sets together for a common
  purpose protecting the enterprise

18
Security as a Strategic Process

• Benefits
• Saves security budget dollars
• Increases efficiency
• Centralized risk management
• Combined monitoring
• Better detection and tracking
• Streamlines incident response
• Better information sharing
• CSO functions as single point of contact
• Provides oversight for all security issues
• Increased value to the company as scope includes
  physical information security, risk management
  and business continuity
• IT Security becomes less of an optional choice
• Embeds security and risk management into business
  processes and executive decision making
• Raises security awareness
• Cross training creates motivated employees
• Consistent policies across the enterprise

19
Security as a Strategic Process

• Tradeoffs Obstacles
• Culture clashes
• Seasoned law-enforcement pros vs. younger techies
• Jocks vs. Geeks
• Old procedures vs. new technologies
• Need-to-know vs. high visibility cultures
• Salary differences
• Feelings of loss of control
• Lack of understanding issues at executive levels
• Notion of a large cost center
• Seen as an obstacle that muddies the waters
• Seen as Big Brother
• Sees all, knows all, controls all
• Cross-Training funding will be required

20
The Competitors
Physical Security
IT Security
Financial Security
21
Separation of Duties Issues

• In most companies IT Security reports to the IT
  area
• Makes sense on the surface, but
• As a result, the IT Department is watched by IT
  Security who reports to. . . the IT Department!
• Are these good internal controls?
• Possible conflict of interest
• IT Security may function better in the Risk
  Management arenaNOT Technology
• IT Security should function as a consultant to IT
  who maintains and fixes problems

22
Convergence Engineering

• A strategic approach to solving the technical
  problems associated with the integration of
  logical physical security
• Driven by
• FIPS-201 under Presidential Directive HSPD-12
  developed by NIST
• Increased security functionality
• Ex Physical presence in building required before
  login
• Cost savings
• Synergy savings
• Strategic technical implementations
• Focuses on technical not people issues.

23
Security Convergence Checklist

• Appoint a strong Chief Security Officer You?
• Primarily a law enforcement/legal background
• IT skills (or familiarity) a plus
• Obtain executive management support of a
  converged security organization
• Prepare IT security and physical security groups
  for merger
• Expect reluctance, skepticism and resistance
• Point out benefits of working together
• Define scopes of responsibility as well as areas
  of cooperation
• Co-locate groups - mingling if possible
• Encourage information sharing between the groups
• Critical to the success of the new organization

24
Security Convergence Checklist

• Look for investigations/projects that can involve
  representatives from both areas of expertise
• Reward and recognize efforts as a team
• Meet regularly with managers of each area to
  resolve difficulties and explore opportunities
• After one year, assess and report to upper
  management the benefits and resulting efforts of
  the combined group
• Reconfirm executive managements support of the
  converged security organization

25
Points to Remember

• Be flexible
• The converged structure and function is not cast
  in stone
• Dont focus primarily on consolidation and cost
  reduction
• Must take cost avoidance into account
• There are always tradeoffs
• Better security increased cost
• Who decides what is considered acceptable risk?
• CSO? CIO? CFO?
• Look to create an oversight-oriented business
  function with the operational functions under its
  direction

26
Threats to a Converged Organization

• A repeatable model for a totally converged
  centrally managed organization has yet to be
  successfully implemented and maintained.
• Experience has shown that most converged
  departments lead to a loss of efficiency,
  effectiveness or to utter failure.
• Because of the major differences in their
  backgrounds, the teams of a converged
  organization are most often driven apart by
  culture clashes and salary issues.
• Risk and cost avoidance must be recognized for
  their value, because unless there is clearly
  identifiable savings and defensible metrics
  showing security improvements, the converged
  organization is likely to lose executive
  management support.

27
The S Word Synergy

• Some Key Opportunities
• Access control, Common Card systems
• DoDs Cross Credentialing Project
• Log monitoring
• In-house IP video surveillance and DVR recording
• Computer acquisition and forensics
• Investigations are often prime driver
• Employee termination and de-provisioning
• Theft of computer assets
• Theft of electronic data
• Breach Laws
• Chain of custody and legal issues
• Physical safety risks
• Security Awareness initiatives

28
Conclusions

• There is no one-size-fits-all template for
  convergence
• Convergence should be initiated slowly and in
  phases only to the degree that seems logical for
  an individual company or department
• At its best, convergence may just be a series
  of co-operative efforts that involve areas of
  commonality for both disciplines
• Enterprise-wide common credential card systems
• Access log monitoring
• Incident response
• Investigations
• Forensics

29
Additional Information

• www.opensecurityexchange.org
• Promoting the Interoperability of Physical and
  Logical Security. . .
• Deloitte Touche 2006 Global Security Survey
• (released June 15, 2006)
• http//www.deloitte.com/dtt/cda/doc/content/us_fsi
  _150606globalsecuritysurvey28129.pdf

• DT Conclusions
• Despite all the hype, convergence
• is not here yet
• is not a critical priority for companies
• Of 150 companies surveyed
• Only 21 have any convergence
• Only 4 will address in next 12 months
• Only 7 will address in next 24 months

30
References

• _____, Special Report Convergence Next
  Generation," CSO, (April 15, 2005), p. 19
• Anonymous, To Converge (and Back)," CSO,
  (January, 2006), p. 50
• Brown, Jennifer, Meet Mr. Convergence," Canadian
  Security, (January, 2006), p. 16
• Staff writers, CSO Fundamentals ABCs of
  Physical IT Security Convergence, CSO Online,
  URL http//www.csoonline.com/ fundamentals/abc_co
  nvergence.html
• ______, Security Convergence, CIO World News,
  (February 13, 2006), URLhttp//www.cio.de/news/ci
  o_worldnews/818278/ index1.html
• J.R. Reagan, BearingPoint, Security Privacy
  Cost, Complexity Compliance Issues for State
  Governments, NYS Cyber Security Conference,
  (June 15, 2006)

31
References

• Sarkar, Dibya, Two Converging Worlds Cyber and
  physical Security," FCW.com, (December, 2004),
  URL http//www.fcw.com/article84751-12-12-04-Prin
  t
• _____, Fake ATM plays Gotcha with Users Boston
  Globe, (May 12, 1993)
• Scalet, Sarah D., ALARMED Bolting on Security
  at Stop Shop CIO, (March 21, 2007),
• Tyson, Dave, The Meaning of Convergence
  Security Convergence and Managing Enterprise
  Security Risk, Butterworth Heinemann 2007
• Koffel Associates Inc., Convergence Engineering
  URL http//www.koffel.com/Convergence20Engineeri
  ng.pdf

32
Questions?