Title: PHYSICAL SECURITY VS. CYBER SECURITY: A Howto Guide for Getting Along
1PHYSICAL SECURITYVS.CYBER SECURITYA How-to
Guide for Getting Along
June 5, 2008 New York StateCyber-Security
Conference Albany NY
Pat M. Darienzo, CISSP Director, Network
Systems Security North Shore LIJ Health
Services
2True Life Scenario 1
Event There is a break-in at a company location
. . .
- Contact local law enforcement
- Interview witnesses
- Review logs / surveillance tapes
- Report to Legal / Claims
- Submit detailed report to upper management
- Look for Lessons Learned
3True Life Scenario 2
Event A Laptop is Missing . . .
- Speak with owner
- Review IP / access logs
- Determine what type of data was on machine
- Submit Breach Notification (if necessary)
- Submit summary report to Asset Management
- Replace clients laptop
4ConvergedSecurity Response
ConvergedSecurity Organization
5What is Security Convergence?
- The true meshing of physical security, cyber
security and business continuity management,
putting an organization in a position to make
security a functional strategy and a business
opportunity.
What it IS Integrating historically stovepiped
functions of operational risk management to
achieve better security, oversight of
enterprise-wide risk and cost efficiencies.
What it ISN'T Putting IT security under the
thumb of the physical security group, or vice
versa. Creating one big cost center out of
several smaller ones.
Its all in how you present it
6Used with permission
7Dont think Convergence. . .
- Wouldnt it be great if the physical security,
cyber security and risk areas could all work more
closely for efficiency? - Wouldnt investigations be easier?
- Does the risk justify the cost and effort of
this? - If youre doing that, you probably want to get
those guys involved - Corporate Security needs to keep IT in the loop
regarding incidents that involve IT assets IT
needs to support Physical security technologies
(CCTV, Mustering reports, Remote DVRs, etc.)
Risk Management needs to guide both in terms of
acceptable levels of risk
8The Primary Split
- Logical Security associated with protection of
information systems or computer security where
data is logically grouped, protected and
presented as one system, but may exist in
physically disparate locations. - Physical Security customarily associated with
the tangible physical components of a protection
system such as locks and alarms and the
associated disciplines that protect them. - Each group has skills and expertise that should
complement but often conflict with that of the
other group.
The BIG difference
- When a physical asset has been stolen . . .
- . . . its usually missing!
- When an information asset has been stolen . . .
- . . . its usually still there!
9The Facts
- In 2006, North American companies spent over 1.7
billion on converged projects, five times what
was spent in 2005 (Forrester Research) - It is often the lack of cohesion and information
sharing that criminal groups exploit when they
decide to target a business - Metrics become fuzzy when dealing with risk
avoidance and cost avoidance
10Convergence Drivers
- Rapid expansion of the enterprise environment
- Recognized migration from physical to
information-based and intangible assets - New protective technologies blurring functional
boundaries - New compliance and regulatory issues
- SOX, GLBA, HIPPA, ISO17799, BS 7799, FIPS 201
- Continuing pressure to reduce cost
- Physical and Virtual vulnerabilities pose the
same threat and should be treated similarly - Criminal Convergence
11Criminal Convergence
- 1986 Teenager hacks into major US banking system
transfers funds (NY) gt10K - 1993 Fake Yankee 24 ATM in a CT shopping mall
gt3K in one day - 2003 55 Fake ATMS in CA, FL and NY gt3.5M from
21,000 accounts - 2007 Stop Shop EFT machines unknown
- Latest ATM Skimmers The Perfect Blend
12 The Perfect Blend
13The Perfect Blend
14The Perfect Blend
15The Perfect Blend
16The Perfect Blend
17Holistic Security
- What seems obvious to one group may be outside
of the others sphere of experience, resulting in - Poor communications
- Lack of understanding of risks and impact
- Duplication of efforts
- Wasted resources
- Physical Logical Security groups need to bring
their disparate skill sets together for a common
purpose protecting the enterprise
18Security as a Strategic Process
- Benefits
- Saves security budget dollars
- Increases efficiency
- Centralized risk management
- Combined monitoring
- Better detection and tracking
- Streamlines incident response
- Better information sharing
- CSO functions as single point of contact
- Provides oversight for all security issues
- Increased value to the company as scope includes
physical information security, risk management
and business continuity - IT Security becomes less of an optional choice
- Embeds security and risk management into business
processes and executive decision making - Raises security awareness
- Cross training creates motivated employees
- Consistent policies across the enterprise
19Security as a Strategic Process
- Tradeoffs Obstacles
- Culture clashes
- Seasoned law-enforcement pros vs. younger techies
- Jocks vs. Geeks
- Old procedures vs. new technologies
- Need-to-know vs. high visibility cultures
- Salary differences
- Feelings of loss of control
- Lack of understanding issues at executive levels
- Notion of a large cost center
- Seen as an obstacle that muddies the waters
- Seen as Big Brother
- Sees all, knows all, controls all
- Cross-Training funding will be required
20The Competitors
Physical Security
IT Security
Financial Security
21Separation of Duties Issues
- In most companies IT Security reports to the IT
area - Makes sense on the surface, but
- As a result, the IT Department is watched by IT
Security who reports to. . . the IT Department! - Are these good internal controls?
- Possible conflict of interest
- IT Security may function better in the Risk
Management arenaNOT Technology - IT Security should function as a consultant to IT
who maintains and fixes problems
22Convergence Engineering
- A strategic approach to solving the technical
problems associated with the integration of
logical physical security - Driven by
- FIPS-201 under Presidential Directive HSPD-12
developed by NIST - Increased security functionality
- Ex Physical presence in building required before
login - Cost savings
- Synergy savings
- Strategic technical implementations
- Focuses on technical not people issues.
23Security Convergence Checklist
- Appoint a strong Chief Security Officer You?
- Primarily a law enforcement/legal background
- IT skills (or familiarity) a plus
- Obtain executive management support of a
converged security organization - Prepare IT security and physical security groups
for merger - Expect reluctance, skepticism and resistance
- Point out benefits of working together
- Define scopes of responsibility as well as areas
of cooperation - Co-locate groups - mingling if possible
- Encourage information sharing between the groups
- Critical to the success of the new organization
24Security Convergence Checklist
- Look for investigations/projects that can involve
representatives from both areas of expertise - Reward and recognize efforts as a team
- Meet regularly with managers of each area to
resolve difficulties and explore opportunities - After one year, assess and report to upper
management the benefits and resulting efforts of
the combined group - Reconfirm executive managements support of the
converged security organization
25Points to Remember
- Be flexible
- The converged structure and function is not cast
in stone - Dont focus primarily on consolidation and cost
reduction - Must take cost avoidance into account
- There are always tradeoffs
- Better security increased cost
- Who decides what is considered acceptable risk?
- CSO? CIO? CFO?
- Look to create an oversight-oriented business
function with the operational functions under its
direction
26Threats to a Converged Organization
- A repeatable model for a totally converged
centrally managed organization has yet to be
successfully implemented and maintained. - Experience has shown that most converged
departments lead to a loss of efficiency,
effectiveness or to utter failure. - Because of the major differences in their
backgrounds, the teams of a converged
organization are most often driven apart by
culture clashes and salary issues. - Risk and cost avoidance must be recognized for
their value, because unless there is clearly
identifiable savings and defensible metrics
showing security improvements, the converged
organization is likely to lose executive
management support.
27The S Word Synergy
- Some Key Opportunities
- Access control, Common Card systems
- DoDs Cross Credentialing Project
- Log monitoring
- In-house IP video surveillance and DVR recording
- Computer acquisition and forensics
- Investigations are often prime driver
- Employee termination and de-provisioning
- Theft of computer assets
- Theft of electronic data
- Breach Laws
- Chain of custody and legal issues
- Physical safety risks
- Security Awareness initiatives
28Conclusions
- There is no one-size-fits-all template for
convergence - Convergence should be initiated slowly and in
phases only to the degree that seems logical for
an individual company or department - At its best, convergence may just be a series
of co-operative efforts that involve areas of
commonality for both disciplines - Enterprise-wide common credential card systems
- Access log monitoring
- Incident response
- Investigations
- Forensics
29Additional Information
- www.opensecurityexchange.org
- Promoting the Interoperability of Physical and
Logical Security. . . - Deloitte Touche 2006 Global Security Survey
- (released June 15, 2006)
- http//www.deloitte.com/dtt/cda/doc/content/us_fsi
_150606globalsecuritysurvey28129.pdf
- DT Conclusions
- Despite all the hype, convergence
- is not here yet
- is not a critical priority for companies
- Of 150 companies surveyed
- Only 21 have any convergence
- Only 4 will address in next 12 months
- Only 7 will address in next 24 months
30References
- _____, Special Report Convergence Next
Generation," CSO, (April 15, 2005), p. 19 - Anonymous, To Converge (and Back)," CSO,
(January, 2006), p. 50 - Brown, Jennifer, Meet Mr. Convergence," Canadian
Security, (January, 2006), p. 16 - Staff writers, CSO Fundamentals ABCs of
Physical IT Security Convergence, CSO Online,
URL http//www.csoonline.com/ fundamentals/abc_co
nvergence.html - ______, Security Convergence, CIO World News,
(February 13, 2006), URLhttp//www.cio.de/news/ci
o_worldnews/818278/ index1.html - J.R. Reagan, BearingPoint, Security Privacy
Cost, Complexity Compliance Issues for State
Governments, NYS Cyber Security Conference,
(June 15, 2006)
31References
- Sarkar, Dibya, Two Converging Worlds Cyber and
physical Security," FCW.com, (December, 2004),
URL http//www.fcw.com/article84751-12-12-04-Prin
t - _____, Fake ATM plays Gotcha with Users Boston
Globe, (May 12, 1993) - Scalet, Sarah D., ALARMED Bolting on Security
at Stop Shop CIO, (March 21, 2007), - Tyson, Dave, The Meaning of Convergence
Security Convergence and Managing Enterprise
Security Risk, Butterworth Heinemann 2007 - Koffel Associates Inc., Convergence Engineering
URL http//www.koffel.com/Convergence20Engineeri
ng.pdf
32Questions?