Dia 1 - Surf

2
Our Mission: to keep KPN reliable & secure and trusted
by customers, partners and society
WHAT we will achieve:
• Deliver secure products & services to our customers.
HOW we will so:
6
•
Manage a security framework that ensures a 360 degree approach to mitigating
security risk to KPN’s networks and data.
•
Maintain the security processes, people and technologies required to address the
evolving security threat landscape.
•
Define the information security threats (external and internal) to KPN’s network
infrastructure and data.
•
Measure, manage, respond and remediate the security risk to KPN’s external and
internal network infrastructure and data - that is vulnerable to attack.
•
Assuring that expertise & capabilities in the area of IS & BCM are in place and up to
date.
Security
Awareness
Security
Capability
7
Visibility &
Risk
Intelligence
World of Security at KPN
CISO
CSO
Physical Security
JAM
Fraud Management
Security Helpdesk
Information Security
& Business Continuity
Management
NOC & SOC &
ABUSEDESK
Operational Security
Incident Management
GRC
Compliance to Telecom Act
RFR
BCF & GRIP
Privacy
LEGAL
Legal affairs
External Relations
CISO Organization
COO
Farwerck
CISO
Baloo
Program Coordinator
PREVENT
DETECT
Security Strategy &
Policy
•
•
•
•
Policy creation and
Maintenance
Security Posture Set
SSO Segment Reports
Classify and Monitoring
Key Programs and
Projects
RESPOND
KPN RED TEAM
•
•
•
•
•
Internal Ethical stress testing
Product Review Testing
Application Testing
Audit criteria verification testing
Portal Authority
VERIFY
SSO
CERT CC
•
•
•
•
Risk Intelligence
Threat Analysis
Incident Response and
resolution coordination
Contact point for Information
Security across KPN
Improving Security Governance and
Organisation
KPN Security Operations
KPN NL Information Security Office
CISO
Interne Security
Operations Center
Strategy & Policy
Red Team
CERT
Security Advisors
Security Advisors
Security Advisors
Externe Security
Operations Center
Abusedesk
RSD
ZM
S&I
Netco
Corp/SSO/ Ibas
Sr Security Officer
Sr Security Officer
Sr Security Officer
Sr Security Officer
Sr Security Officer
Security
Officers
1. Policy Implementation
2. Security and Continuity
Design
3. Supplier Management
4. Incident Response & Risk
Intelligence
10
Security
Officers
1. Policy Implementation
2. Security and Continuity
Design
3. Supplier Management
4. Incident Response & Risk
Intelligence
5. Client Assurance
Security
Officers
1. Policy Implementation
2. Security and Continuity
Design
3. Supplier Management
4. Incident Response & Risk
Intelligence
5. Client Assurance
Security
Officers
1. Policy Implementation
2. Security and Continuity
Design
3. Supplier Management
4. Incident Response & Risk
Intelligence
Security
Officers
1. Policy Implementation
2. Security and Continuity
Design
3. Supplier Management
4. Incident Response & Risk
Intelligence
New Security Policy Framework
Functional areas covered
01 Management
of security
a.o. risk mgt, roles
& responsibilities
02 Human
resource security
a.o. awareness,
training, screening
03 Asset
Handling
a.o. classification,
media handling
04 Physical
Security
a.o. buildings,
access control
05 System &
network security
a.o. systems,
networks, applics
06 Innovation
& development
a.o. innovation
07 Supplier
relationships
a.o. assurance,
outsourcing
08 Incident
management
a.o. reporting,
response, crisis
09 Business
continuity
a.o. planning,
exercising
10 Regulatory
compliance
JAM, privacy,
fraud mgt
Each functional
area elaborated in
specific set
of standards, rules,
guidelines and tools
11
Note: structure and terminology aligned
with new ISO/IEC 27002 (latest working
draft d.d. 11-10-2012), but tuned to KPN
context where useful/ required.
Wait – we have a process for this?
Security Incident
Incidentregistratie
Initiatiefase
Opschalen
Handelen
Operationele fase
Evalueren en
documenteren
Rapporteren
Nazorg fase
Triage
Case1 : Mgmt. quote ’’Test servers can have
lower security requirements….’’
CASE 1: 28/11/2013
1st stage – scan panic
Red Team test Q4 2013 -- Scope: 213.75.0.0/17 – Unauth - gentle
Test: Follow-up critical findings from Nessus Scan
JBoss 'EBJInvokerServlet' and 'JMXInvokerServlet‘ –> CVE 10/2013
Traffic analysis shows :12 secs of 60Mbps - Bots will sign off as soon
as they fired their 60Mb/s UDP stream.
What are these systems? Where are they? Who owns them?
17
CASE 1:
2nd stage WTF! ( Wednesday Thursday & Friday)
18
CASE 1:
In parallel to external reporting
• Temporarily disconnect the internal interfaces of the currently known 4
compromised systems and set up our system to take their IP’s and MAC’s
and connect on the same ports, mimicking the compromised hosts.
• Scan networks, hosts and map out routes & Discuss findings with admins
Check in Qualys whether a check for these vulnerabilities already exists.
CERT analyzing already monitored traffic
CERT Perform forensics on possible compromised systems.
Collect scan results for tweaking a new scan for the complete KPN outside
infrastructure to identify more JMX consoles.
19
CASE 1:
3rd stage - reporting to the NCSC
KPN-CERT Notification :: TLP-Amber
20
Guest Hacker Program - learn from the best
22
20 min 1 idea
23
Weekly Risk Intel – for Top Mgmt & Rest of KPN
Goedenavond Joost,
Dit is jouw wekelijks Risk Intel
CLASSIFIED
UNCLASSIFIED
24
Working together with the Authorities
An example : Cyberpaint
25
Reality Checks :
Benchmark with others, esp Telcos :
With other Ethical Hackers:
Keep Checking on our ability to do Good with Key Security Indicatiors
26
Why Silent Circle?
Protecting my board
Security is a journey – NOT a destination
Know Thyself and Thy network
Develop awareness and keep doing it // NON CONVENTIONALLY
Who can’t find what you’re not looking for so keep review cycles for
monitoring and intel gathering – find your friends to share intel
Develop capability and keep improving it -Continuous improvement
cycle
Get a reality check – its healthy
28
Bonus slides for extra credit
29
Titel van de presentatie
Classificatie
EU – Cyber Security Strategy
• Software and hardware manufacturers - currently
excluded from the scope of the Directive
Data Retention
"by requiring the retention of those data and by allowing the competent national
authorities to access those data, the directive interferes in a particularly serious
manner with the fundamental rights to respect for private life and to the protection of
personal data."
"Furthermore, the fact that data are retained and subsequently used without the
subscriber or registered user being informed is likely to generate in the persons
concerned a feeling that their private lives are the subject of constant surveillance,"
NL - Wetsvoorstel Cybercriminalitiet
• Hack Back
• Allowed use of exploits;
spyware ; etc
• Hack Inside and
Outside NL
• Automated Device –
open definition
• Decryption Order
PGP ; TOR ; Tails ;
Why can’t Johnny encrypt?