268 ◾ Security Strategy: From Requirements to Reality
the sensitivity of data transferred, processed, or stored at the provider. All the services deal with
sensitive data; there is no getting around that. At best you may be able to limit the length of time
the data are retained by the provider. Network shared risks will be mitigated with mandatory
encryption, including end-point authentication (i.e., TLS, IPSec, etc.). One can expect the pro-
vider’s host security to be tight, with services restricted to a limited number of ports and protocols.
Prudence calls for a thorough verifi cation, however.
Another shared risk involves the provider’s support systems and applications. Data from mul-
tiple customers is commingled on these systems. An operator error, system failure, or misconfi gu-
ration could result in some data being disclosed to the wrong party—for example, an alert like
this, “fs01.de.abccorp.com breach, Downadup variant C exploit, status: critical” being sent to the
ABC Corporation instead of its Germany subsidiary. is makes verifying the provider’s opera-
tions and personnel process equally important. Table 13.2 maps result confi dentiality objectives to
specifi c baselines. e type (hard or soft) is used to denote how the metric for each control objec-
tive is collected. Soft indicates a procedure-based control, while hard denotes a technology-based
(i.e., automated) control.
Prevent the Disclosure of Events
e disclosure of actual events can have a much stronger impact. In addition to exposing an
exploitable vulnerability, the disclosure may cause the attacker to break off the attack, hamper-
ing investigative and law enforcement eff orts. e disclosure may also subject the organization to
unwarranted notifi cation requirements or fi nes. Actual security breaches also have a much higher
impact on customer confi dence and company reputation. ese risks are more prevalent in system
monitoring, incident support, and system management services, but auditing services may also
uncover event information.
e control objectives for this risk and the Maintain the Confi dentiality of Results risk above
are the same (see Table 13.2).
Table 13.2 Control Objectives Maintain the Confi dentiality of Results
Attribute/Control Type Risk and Requirements
Data Placement
Limited retention Soft Service provider must securely delete data containing
customer-specifi c information (aggregation for statistical
analysis is permitted) within a specifi c time frame to prevent
disclosure from a provider security breach or operator error.
Process Share Risk
Extended measures
Soft
Soft
Soft
Excellence in operations:
- Data separation in shared support systems and application
- Notifi cation and report routing controls
- Operator accountability controls
Training Soft Provider has mandatory training and skills tracking
process.
TAF-K11348-10-0301-C013.indd 268TAF-K11348-10-0301-C013.indd 268 8/18/10 3:12:26 PM8/18/10 3:12:26 PM
Hire a Hessian (Outsourcing) ◾ 269
Preserving Evidence
Security events carry with them a potential for legal action, including prosecution of the perpetra-
tor, prosecution of company offi cials (à la Sarbanes-Oxley), civil penalties, and lawsuits for down-
stream damages. is makes the collection and preservation of evidence a critical component of
incident management. When security services are outsourced, some of that evidence may end up
being stored or generated at the service provider; therefore, controls must be in place to ensure that
the integrity of the data is maintained. ere are two major risks here: loss of evidence and inad-
missibility. e fi rst issue is obvious: We want our provider to retain the evidence we need. Second,
we want our provider to preserve the integrity of the information in a traceable way. Evidence has
some very specifi c attributes. It must be suffi cient, relevant, and reliable. Records that are subject
to unauthorized modifi cation are not reliable and therefore not admissible. ere are two aspects
to integrity: One is the integrity of the data, and the second is the protector/custody of the data
(i.e., what parties had control over the information from the time it was collected until it was pre-
sented in court?). is record is called the chain of custody, and it can be a real challenge to main-
tain for civil suits that take up to fi ve years to complete! Since the outcome of legal actions depends
on the evidence presented, submitting insuffi cient, irrelevant, or unreliable information will
increase potential liabilities. Evidence collection and preservation processes are usually part of an
organization’s Incident Response Plan. When security services are outsourced, the plan must be
revised to include an interface with the provider or providers. Most MSSPs will already have this
interface defi ned; some may provide automated tools for selecting the data you want preserved and
to digitally sign or create ICV (Integrity Check Value) for data integrity purposes. e manage-
ment of evidence is a standard skill set for security consultancies and incident support vendors.
Table 13.3 maps the management of evidence objectives to specifi c baselines. e type (hard or
soft) is used to denote how the metric for each control objective is collected. Soft indicates a
procedure-based control, while hard denotes a technology-based (i.e., automated) control. Both
indicates either or a hybrid control.
Avoiding Retention/Discovery Liabilities
is issue is almost the opposite of preserving evidence. We want
to retain evidence that supports our cause, but we do not want to
risk retaining information that may prove to be a future liability.
Most organizations have a data-retention policy based on industry
Important Note
The authors wish to make it clear that we
are not under any circumstances suggest-
ing that companies should destroy any
information subject to discovery under a
pending legal action.
Table 13.3 Control Objectives for the Management of Evidence
Attribute/Control Type Risk and Requirements
Evidence Preservation
Retained Soft Excellence in operations
- Formal process and provider interface to designate specifi c
data as evidence to prevent it from being altered or deleted
by the provider
Reliable Both A means of ensuring that retained evidence is admissible must
be in place, including tamperproofi ng the data and
maintaining the chain of custody.
TAF-K11348-10-0301-C013.indd 269TAF-K11348-10-0301-C013.indd 269 8/18/10 3:12:27 PM8/18/10 3:12:27 PM
270 ◾ Security Strategy: From Requirements to Reality
requirements and standards. When an organization is outsourcing security services, these require-
ments must be reconciled with the provider’s capabilities. Most providers will not retain informa-
tion for any extended time. e quantity of data MSSPs collect is too massive to retain for any
length of time. Assessment, consulting, and incident support providers prefer not to retain data
because of its sensitive and potential disclosure liabilities. Auditors are more likely to retain data
supporting their attestation.
e “reasonable man” standard is used in U.S. law to determine culpability for damages. e
question is, “What would the reasonable person of ordinary prudence have done under the same
or similar circumstances?” In other words, given the knowledge and skills the person (or organiza-
tion) had at the time, did they exercise due care to prevent people (or other entities) from being
damaged? For example, if you know the brakes on your car aren’t working and you drive it anyway
and crash, you didn’t exercise due care because any reasonable person would know you don’t drive
a car without brakes! Now think about this in terms of hundreds of records of system vulnerabili-
ties or breaches. If someone sues you and subpoenas those records, you’ve got a lot of explaining to
do! at’s not to say that you didn’t do the right thing each time, but now, you have to prove you
did, and that could be a very costly endeavor in both directions: internal investigation costs and
civil penalties if you can’t prove due care. e best way to manage this risk is to destroy this data
when it is no longer useful. What is and is not “useful” is something you’ll need to negotiate with
your provider; their defi nition may require a longer retention period than yours. Table 13.4 maps
retention/discovery liability avoidance objectives to specifi c baselines.
Elevated Privilege and Intellectual Property Loss
ese two issues are combined because they share the same control objectives. Some outsourced
security activities involve access to valuable intellectual property, for example, software architecture
and design reviews and source code reviews. Other activities, incident support and security device
management, for example, require elevated privileges that also grant access to intellectual property.
ese activities increase the risk of loss from the theft or disclosure of the organization’s intellectual
property. When Bill fi rst went to work at Microsoft, he was a contractor doing security assessments
and source code reviews. He remembers poking around the network for internal tools he could
leverage for his assessments. He was utterly amazed at the level of access he had to proprietary
intellectual property, including a substantial amount of Windows 2000 source code. at certainly
wasn’t the case when he left, however. In today’s world of high-capacity portable storage devices
and miniature cameras, exposing any quantity of high-value data to strangers is dangerous.
Table 13.4 Control Objectives for Media Retention
Attribute/Control Type Risk and Requirements
Retention Liability
Destroyed Soft Excellence in operations
- Adjustable retention time frame for data stored at the provider
to ensure that it is not subject to legal discovery
- Formal process to securely delete all copies of data exceeding
the retention period to ensure that it is not subject to legal
discovery
TAF-K11348-10-0301-C013.indd 270TAF-K11348-10-0301-C013.indd 270 8/18/10 3:12:27 PM8/18/10 3:12:27 PM
Hire a Hessian (Outsourcing) ◾ 271
Good accountability controls are the best way to deal with this risk. Accountability protects
against intellectual property loss by tracking what individuals are in possession of which pieces
of information at any given point in time. is makes it possible to hold those individuals
responsible for any misuse of that data. Unfortunately, there aren’t a lot of good accountability
controls available. Good oversight and monitoring is another possible mitigation; limiting I/O
(input/output) is a third. e problem with oversight is that it is resource intensive. Mandatory
escorts were not uncommon when Bill worked for the U.S. Navy, but while he was standing
outside the men’s room one day waiting for his consultant, nothing productive was getting
done! If you have video surveillance capabilities in the areas where external resources are work-
ing, you may be able to leverage it to reduce the amount of one-to-one time required. Limiting
I/O capabilities works better. is was the approach one brokerage house took for their source
code review. ey allowed the external auditor to bring a laptop on-site for note-taking pur-
poses but nothing else. ey furnished a workstation that had no USB ports and a read only
CD drive. No system documentation or source code could be taken off premise. e downside
of the arrangement was that work could only be conducted when a member of the staff was
there; the upside was that on Friday they all headed off to the pub at 4 PM! Most modern sys-
tems are equipped with USB connections. Depending on the operating system, limiting their
use can be challenging. We like the Navy’s solution: Fill the connector with epoxy! Somehow
disabling the device driver seems to be a better approach. Table 13.5 maps the intellectual
property management objectives to specifi c baselines. e type (hard or soft) is used to denote
how the metric for each control objective is collected. Soft indicates a procedure-based control,
while hard denotes a technology-based (i.e., automated) control. Both indicates either or a
hybrid control.
e following actions are recommended to facilitate the outsourcing of security services:
1. Review your incident response and investigation processes and establish what interfaces and
data exchanges will be required for outsourcing.
2. Review your corporation’s data-retention policies to determine what retention cycles must be
established for data stored at a service provider.
Table 13.5 Control Objectives for Intellectual Property Management
Attribute/Control Type Risk and Requirements
Intellectual Property Loss
Accountability Both Records of all accesses to intellectual property for each
outsourced entity are captured and protected against
alteration to discourage illicit activities and alert staff of
unauthorized activity.
Supervision Soft Internal staff is assigned to monitor outsourced personnel to
discourage and/or report unauthorized activity.
Surveillance Soft Security staff is assigned to observe the actions of outsourced
personnel to discourage illicit behavior and report prohibited
or suspicious activities.
Limited I/O Hard All unnecessary output devices are removed or disabled to
prevent loss of intellectual property.
TAF-K11348-10-0301-C013.indd 271TAF-K11348-10-0301-C013.indd 271 8/18/10 3:12:27 PM8/18/10 3:12:27 PM
272 ◾ Security Strategy: From Requirements to Reality
3. Review your corporate data destruction standards to determine what data destruction capa-
bilities will be required for your providers.
4. Review your service areas (e.g., U.S., EU, Asia, etc.) to determine the best outsource data
storage and processing scheme. Make sure your storage and processing scheme does not
subject you to any additional statutory or regulatory compliance requirements.
5. Garner the support and participation of key security stakeholders. Get their help defi ning
the objectives for each security outsourcing solution. Also get their help fi lling the policies
and procedure gaps and modifying processes to accommodate security outsourcing risks.
6. Modify existing processes for vetting potential providers and managing contracted provid-
ers (engagement process) to include security specifi c checks.
7. Prepare the materials (forms, questionnaires, surveys, etc.) required for the vetting, contract-
ing, and engagement processes.
Conclusion
King George’s outsourcing eff orts ultimately failed (he lost the war), although history would tell
us it wasn’t the service provider’s fault. By all accounts, the Hessians were well-trained, disciplined,
and valiant soldiers. If anything could be blamed, it was the language barrier between the British
and Hessian commands and the arrogance of their commanders. ey discounted the will and
determination of the rag-tag continental army. Hopefully, in our outsourcing eff orts we won’t
make the same mistakes.
Outsourcing portions of IT operations is a fairly standard practice. From a security standpoint,
most outsourcing has defensive objectives. Data security is always a major concern when outsourc-
ing, but cost savings is the major driver, followed by better business focus and increased productiv-
ity. Risk mitigation is a distant fourth. Outsourcing supports the security principles of economy,
redundancy, and preparedness through lower control and personnel costs, high reliability, and
staff expertise. If your organization depends on excellence in observation and response timeliness,
outsourcing may not work well for you.
In this chapter we examined outsourcing from two perspectives: general IT services outsourc-
ing and security services outsourcing. e general requirements and risks are applicable to all IT
outsourcing; security outsourcing has some additional risks to address. e majority of IT out-
sourcing arrangements create a hybrid or shared infrastructure; some services remain in-house,
whereas others are external. is cross connection of computing enclaves creates shared risks that
must be mitigated. It is important to remember that you can transfer data and processing to a service
provider, but you cannot transfer responsibility; you are ultimately responsible for the protection of the
data resources entrusted to your care.
Small and medium companies seem to realize the biggest benefi t from outsourcing because
they get to use the latest versions of software and have access to advanced technologies they
couldn’t aff ord to keep in-house. ey also benefi t from reduced labor costs because they do not
need to retain in-house expertise. Companies have the best success when outsourcing commod-
ity IT services (such as e-mail, instant messaging, and conferencing) and expert assistance (i.e.,
incident support, consulting, security monitoring). Firms that outsource management functions
haven’t fared as well.
e biggest security challenges in outsourcing are data protection and compliance. Companies
can mitigate the risks associated with external processing and storage by carefully managing data
location, limiting the types of services used, or encrypting sensitive information before sending
TAF-K11348-10-0301-C013.indd 272TAF-K11348-10-0301-C013.indd 272 8/18/10 3:12:27 PM8/18/10 3:12:27 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.