Session 3 - Overview
 Insuring that a company is able to continue day-to-day operations is
a core function of the IT organization.
 Security is a vital element that contributes to smooth operations.
 Tools, processes and management engagement are attributes of a
quality security management framework.
1
Current key Questions to Ask
How vulnerable / exposed is your organization to security threats and interruptions? How
would you know that you were exposed or under attack?
What is your organization's ability to respond to security incidents? (i.e., denial of service,
cyber-crime)
Are you getting value for your security dollar spent? Are there any cost or efficiency
opportunities?
How well is security integrated into new business and technology initiatives?
Are you taking your business to the Internet? Have you thought through the security
ramifications?
How well does your current security infrastructure (i.e., organization, process, policy,
technology) match your future business strategy and business needs/requirements?
How do you compare to your peers? Your industry?
2
Security Strategy Framework
 The various components of the
architecture and strategy combine
to form the Security Framework.
The Framework is a unified
representation of the people,
process and technology
components that need to be
addressed in the development of an
enterprise security program.
 The Framework consists of several
interconnected components, each of
which contains a specific set of
requirements and deliverables that
contribute to the overall architecture
and strategy. Once each component
has been implemented, the
Framework will enable a company
to proactively reduce risk, adhere to
regulatory, security, and privacy
standards, and enable secuirty to
effectively support its business
requirements.
 The objective, represented by the
circle on the framework is..
Availability, Confidentiality, and
Integrity.
Source: © Ernst & Young LLP
3
Security Strategy & Architecture
Security Strategy Drivers

Drivers
Source: © Ernst & Young LLP








Compliance with applicable legislation, standards and
regulations (management controls, privacy, etc)
Protecting the company’s image and reputation
Information security – Confidentiality, Integrity, Availability
Protection from internal and external threats
–
Unauthorized access
–
Loss of intellectual property
–
Malicious software
–
Business interruption
Maintain technical currency
Business efficiencies (bottom line ROI)
Business interests in high-risk regions, countries, expanding
market segments (e.g., gov’t)
Extended enterprise models (business partner arrangements,
networking requirements)
Portable computing variations (on-site, remote, wireless)
We must enable the business to evolve and operate effectively while maintaining a secure,
compliant environment.
4
Governance Policies & Standards
 Principles (Policies & Standards):
Governance Policies
& Standards
– Policies and standards for all key aspects of IT
security:
• are defined and reviewed/updated on a regular
basis,
• balance risk with business needs,
• are aligned with process and technology
capabilities,
• are consistent with industry practices, and
• are communicated and followed.
Source: © Ernst & Young LLP
5
Governance Policies & Standards (cont’d)
 Principles (Governance):
Governance Policies
& Standards
• IT Security is a fundamental responsibility of every
employee. Governance to ensure compliance is the
responsibility of IT.
• The governance of IT security will integrate with the
overall governance model for IT,
• Frequent Security Control Meetings are used as the
primary governing mechanism.
Source: © Ernst & Young LLP
6
Asset Profiling
 Principles:
– All physical IT Assets are:
Asset Profiling
Source: © Ernst & Young LLP
• known, authorized and compliant with policies and
standards,
• classified according to criticality and the
sensitivity/importance of the information assets they
support,
• secured and managed consistent with their
classification,
• maintained/patched to minimize risks/vulnerabilities,
and
• supported by appropriate security service levels.
– Critical information assets are identified, owned and
protected
7
Technical Security Architecture
 Principles:
Technical Security Architecture
• Provide a framework for incorporation of security into the IT
Architecture that promotes the use of standardized components
across the infrastructure
• Maintain effective security of the environment in the most effective
manner and with the least amount of complexity.
• Provide a security infrastructure that supports a ubiquitous, highavailability environment
–
–
–
Source: © Ernst & Young LLP
8
Enforce the utilization of strong security baseline controls for all
infrastructure elements
Prevent the use of unauthorized systems on the Lucent
infrastructure
Provide defenses against the use and proliferation of harmful
application and traffic on the network
Processes and Operational Practices
 Principles:
People and
Organizational
Management
Source: © Ernst & Young LLP
9
• Security is an integral part of the IT delivery model
and security must be “baked in” rather than “layered
on” wherever possible.
• Security processes are clearly defined, managed
and measured, with a clear understanding of risks,
control activities and required control evidence
documentation.
Technical Specifications
 Principles:
Technical
Specifications
Source: © Ernst & Young LLP
10
• Technical Specifications (i.e. Minimum Security
Baseline Standards) are defined, maintained, and
consistent with industry practice.
• Compliance with Technical Specifications is verified
as part of the design/implementation of Applications
and Infrastructure.
• Technical Specifications are developed/modified to
consider applicable risks, operational and technical
feasibility.
• Exceptions are handled through a formal NonCompliance Exception process.
People And Organizational Management
 Principles:
– Security Organizational design consist of key areas
•
•
•
•
People and
Organizational
Management
•
•
•
•
Security Strategy & Architecture
Security Work Intake & Client Engagement
Security Management Controls and Oversight
Security Operational Controls (Change, Incident, Release,
Problem)
Application Design & Implementation (incl. security design/test)
Infrastructure Design & Implementation (incl. security design/test)
Applications Support and Minor Enhancements
Security Incident Management & Monitoring
– Separation of Duties is evident in role definition, execution
Source: © Ernst & Young LLP
11
Security Program Compliance and Reporting
 Principles:
• Compliance with Security Policies, Standards and
Procedures is mandatory and must be enforced.
• Security Compliance is managed as part of a company’s
overall compliance program.
• Security compliance is verified by a variety of mechanisms
including mandatory training/compliance modules,
automated monitoring, and compliance checklists.
Security Program Compliance and Reporting
Source: © Ernst & Young LLP
12
• Exceptions are handled through a formal Non-Compliance
Exception process.
IT Security Architecture Principles
• Provide a framework for incorporation of security into
the IT Architecture that promotes the use of
standardized components across the infrastructure
• Maintain effective security of the environment in the
most effective manner and with the least amount of
complexity.
• Provide a security infrastructure that supports a
ubiquitous, high-availability environment
– Enforce the utilization of strong security baseline
controls for all infrastructure elements
– Prevent the use of unauthorized systems on the
infrastructure
– Provide defenses against the use and proliferation
of harmful application and traffic on the network
13
IT Security Architecture Attributes
Compliance Checking
Continuous monitoring and event correlation
Monitoring
Enforces policy compliance
Enhances incident prevention and response capabilities
Least
Privilege
RBAC
Access to resources based on business roles & functions
Promote confidentiality and accountability for critical
resources
Segmentation of infrastructure into security “zones”
Enhanced protection for critical areas
Separation of
Risks
Restrictive access between zones
Prevent cascading failure
Placement of successive defense layers
Defense in
Depth
14
– Each layer complements, fortifies other layers
Minimize single points of failure
IT Security Architecture – Framework
ITU X.805 Security Model
Applications Security
Vulnerabilities
Services Security
Infrastructure Security
Security
Planes
15
Access Control
Authentication
Non-Repudiation
Data Confidentiality
Communications Security
Data Integrity
Availability
Privacy
Security Layers
End User Plane
Control Plane
Management Plane
Security Dimensions
Threats
Destruction
Corruption
Removal
Disclosure
Interruption
Attacks
Security Architecture – Layers
Framework
Role-Based Access Control
Security Layers
Applications Security
Anti-Malware Control
Web Services Security
Identity Management
Authentication (Token/SmartCard)
Services Security
PKI
Encryption (Desktop, Messaging, Storage)
Encryption (Network Layer - IPSec/VPN/SSL)
Monitoring, Detection, & Response
Infrastructure Security
Infrastructure Partitioning
Partnership Network Connectivity Standards
Network Level Access Control
End User Plane
Control Plane
Management Plane
16
Physical Security Controls
Policies
Directory Services
Areas to study
Functional Area
Compliance Monitoring
Application Firewall
Vulnerability Scanning
Intrusion Detection –
Personal Firewall
Identity Mgmt
Event Correlation
Vulnerability Scanning
Intrusion Detection –
Network and Host
17
Reasoning
Inventory and software update management. Used to generate
patch compliance reports.
Used to protect some eBusiness applications.
Use to scan DMZ applications and provide some vulnerability
assessment capabilities
Block unwanted inbound and outbound ports along with detecting
suspicious traffic.
Provides access control to systems and applications
Provides event correlation for across the various security tools.
Provides automated network vulnerability assessment across
servers, desktops, and infrastructure devices.
Provides enterprise class intrusion detection.
Areas to Study – Cntd.
Functional Area
Reasoning
Certificate Mgmt
Better integration with Windows products (I.E., Operating system
and IIS).
Authentication /
Single Sign-On
Authenticates users against AD and LDAP.
Remote Access Mgmt
Anti-Malware – Exchange
Anti-Malware – Internet
Gateway
18
The combination of all three components provides a
comprehensive remote access solution.
Industry leading anti-virus/malware solution for Microsoft
Exchange servers. It leverages 3 industry leading virus scan
engines in combination to scan all emails..
Enterprise class UNIX based virus protection system, that forms
part of a 3 tiered approach to virus protection.
e-Business Security Challenges
• Protect corporate network resources against internal and external threats
• Provide worldwide connectivity for mobile and remote employees and customers
• Use the Internet to lower wide area data communication costs
• Provide business partners with selective network access through a secure extranet
• Guarantee secure network’s performance, reliability and availability
• Define and enforce user-level security policies across the network
• Immediately detect and respond to attacks and suspicious activity against the network
• Securely and efficiently manage the network’s IP address infrastructure
• Implement and open security solution that allows integration with other applications
• Manage the total cost of ownership across the secure network
19
The Five Worst Security Mistakes End
Users Make:
1) Opening unsolicited email attachments without verifying their
source and checking their content first.
2) Failing to install security patches.
3) Installing screen savers or games without safety guarantees.
4) Not making and testing backups.
20
The Ten Worst Mistakes Information
Technology People Make:
1)
Connecting systems to the Internet before hardening them. (removing unnecessary devices and
patching necessary ones).
2) Connecting test systems to the Internet with default accounts and passwords.
3) Failing to update systems when security vulnerabilities are found and patches or upgrades are
available.
4) Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public
Key Infrastructure).
5) Giving users passwords over the phone, or changing passwords in response to telephone or personal
request when the requester is not authenticated.
6) Failing to maintain and test backups.
7) Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are
Unix specific).
8) Implementing firewalls with rules that allow malicious or dangerous traffic - incoming or outgoing.
9) Failing to implement or update virus detection software.
10)Failing to educate users on that to look for and what to do when they see a potential security problem.
21
The Seven Worst Security Mistakes Senior
Executives Make:
1) Assigning untrained people to maintain security and providing neither the
training nor the time to make it possible to learn and do the job.
2) Failing to understand the relationship of information security to the business
problem - they understand physical security but do not see the consequences
of poor information security.
3) Failing to deal with the operational aspects of security: making a few fixes and
then not allowing the follow through necessary to ensure that problems stay
fixed.
4) Relying primarily on a firewall.
5) Failing to realize how much money their information and organizational
reputations are worth.
6) Authorizing reactive, short term fixes so problems re-emerge rapidly.
7) Pretending the problem will go away if they ignore it.
22
Enterprise Security Architecture
A comprehensive security framework
leads to dysfunctional, disconnected,
and/or ineffective security
organizations.
Consistently applied policies and
standards across domains (inter- and
extra-enterprise).
Need for a centralized security content
management system and intuitive user
interface to content.
Ability to enforce security policies,
procedures, and standards.
Awareness of good security hygiene.
23