Session 3 - Overview Insuring that a company is able to continue day-to-day operations is a core function of the IT organization. Security is a vital element that contributes to smooth operations. Tools, processes and management engagement are attributes of a quality security management framework. 1 Current key Questions to Ask How vulnerable / exposed is your organization to security threats and interruptions? How would you know that you were exposed or under attack? What is your organization's ability to respond to security incidents? (i.e., denial of service, cyber-crime) Are you getting value for your security dollar spent? Are there any cost or efficiency opportunities? How well is security integrated into new business and technology initiatives? Are you taking your business to the Internet? Have you thought through the security ramifications? How well does your current security infrastructure (i.e., organization, process, policy, technology) match your future business strategy and business needs/requirements? How do you compare to your peers? Your industry? 2 Security Strategy Framework The various components of the architecture and strategy combine to form the Security Framework. The Framework is a unified representation of the people, process and technology components that need to be addressed in the development of an enterprise security program. The Framework consists of several interconnected components, each of which contains a specific set of requirements and deliverables that contribute to the overall architecture and strategy. Once each component has been implemented, the Framework will enable a company to proactively reduce risk, adhere to regulatory, security, and privacy standards, and enable secuirty to effectively support its business requirements. The objective, represented by the circle on the framework is.. Availability, Confidentiality, and Integrity. Source: © Ernst & Young LLP 3 Security Strategy & Architecture Security Strategy Drivers Drivers Source: © Ernst & Young LLP Compliance with applicable legislation, standards and regulations (management controls, privacy, etc) Protecting the company’s image and reputation Information security – Confidentiality, Integrity, Availability Protection from internal and external threats – Unauthorized access – Loss of intellectual property – Malicious software – Business interruption Maintain technical currency Business efficiencies (bottom line ROI) Business interests in high-risk regions, countries, expanding market segments (e.g., gov’t) Extended enterprise models (business partner arrangements, networking requirements) Portable computing variations (on-site, remote, wireless) We must enable the business to evolve and operate effectively while maintaining a secure, compliant environment. 4 Governance Policies & Standards Principles (Policies & Standards): Governance Policies & Standards – Policies and standards for all key aspects of IT security: • are defined and reviewed/updated on a regular basis, • balance risk with business needs, • are aligned with process and technology capabilities, • are consistent with industry practices, and • are communicated and followed. Source: © Ernst & Young LLP 5 Governance Policies & Standards (cont’d) Principles (Governance): Governance Policies & Standards • IT Security is a fundamental responsibility of every employee. Governance to ensure compliance is the responsibility of IT. • The governance of IT security will integrate with the overall governance model for IT, • Frequent Security Control Meetings are used as the primary governing mechanism. Source: © Ernst & Young LLP 6 Asset Profiling Principles: – All physical IT Assets are: Asset Profiling Source: © Ernst & Young LLP • known, authorized and compliant with policies and standards, • classified according to criticality and the sensitivity/importance of the information assets they support, • secured and managed consistent with their classification, • maintained/patched to minimize risks/vulnerabilities, and • supported by appropriate security service levels. – Critical information assets are identified, owned and protected 7 Technical Security Architecture Principles: Technical Security Architecture • Provide a framework for incorporation of security into the IT Architecture that promotes the use of standardized components across the infrastructure • Maintain effective security of the environment in the most effective manner and with the least amount of complexity. • Provide a security infrastructure that supports a ubiquitous, highavailability environment – – – Source: © Ernst & Young LLP 8 Enforce the utilization of strong security baseline controls for all infrastructure elements Prevent the use of unauthorized systems on the Lucent infrastructure Provide defenses against the use and proliferation of harmful application and traffic on the network Processes and Operational Practices Principles: People and Organizational Management Source: © Ernst & Young LLP 9 • Security is an integral part of the IT delivery model and security must be “baked in” rather than “layered on” wherever possible. • Security processes are clearly defined, managed and measured, with a clear understanding of risks, control activities and required control evidence documentation. Technical Specifications Principles: Technical Specifications Source: © Ernst & Young LLP 10 • Technical Specifications (i.e. Minimum Security Baseline Standards) are defined, maintained, and consistent with industry practice. • Compliance with Technical Specifications is verified as part of the design/implementation of Applications and Infrastructure. • Technical Specifications are developed/modified to consider applicable risks, operational and technical feasibility. • Exceptions are handled through a formal NonCompliance Exception process. People And Organizational Management Principles: – Security Organizational design consist of key areas • • • • People and Organizational Management • • • • Security Strategy & Architecture Security Work Intake & Client Engagement Security Management Controls and Oversight Security Operational Controls (Change, Incident, Release, Problem) Application Design & Implementation (incl. security design/test) Infrastructure Design & Implementation (incl. security design/test) Applications Support and Minor Enhancements Security Incident Management & Monitoring – Separation of Duties is evident in role definition, execution Source: © Ernst & Young LLP 11 Security Program Compliance and Reporting Principles: • Compliance with Security Policies, Standards and Procedures is mandatory and must be enforced. • Security Compliance is managed as part of a company’s overall compliance program. • Security compliance is verified by a variety of mechanisms including mandatory training/compliance modules, automated monitoring, and compliance checklists. Security Program Compliance and Reporting Source: © Ernst & Young LLP 12 • Exceptions are handled through a formal Non-Compliance Exception process. IT Security Architecture Principles • Provide a framework for incorporation of security into the IT Architecture that promotes the use of standardized components across the infrastructure • Maintain effective security of the environment in the most effective manner and with the least amount of complexity. • Provide a security infrastructure that supports a ubiquitous, high-availability environment – Enforce the utilization of strong security baseline controls for all infrastructure elements – Prevent the use of unauthorized systems on the infrastructure – Provide defenses against the use and proliferation of harmful application and traffic on the network 13 IT Security Architecture Attributes Compliance Checking Continuous monitoring and event correlation Monitoring Enforces policy compliance Enhances incident prevention and response capabilities Least Privilege RBAC Access to resources based on business roles & functions Promote confidentiality and accountability for critical resources Segmentation of infrastructure into security “zones” Enhanced protection for critical areas Separation of Risks Restrictive access between zones Prevent cascading failure Placement of successive defense layers Defense in Depth 14 – Each layer complements, fortifies other layers Minimize single points of failure IT Security Architecture – Framework ITU X.805 Security Model Applications Security Vulnerabilities Services Security Infrastructure Security Security Planes 15 Access Control Authentication Non-Repudiation Data Confidentiality Communications Security Data Integrity Availability Privacy Security Layers End User Plane Control Plane Management Plane Security Dimensions Threats Destruction Corruption Removal Disclosure Interruption Attacks Security Architecture – Layers Framework Role-Based Access Control Security Layers Applications Security Anti-Malware Control Web Services Security Identity Management Authentication (Token/SmartCard) Services Security PKI Encryption (Desktop, Messaging, Storage) Encryption (Network Layer - IPSec/VPN/SSL) Monitoring, Detection, & Response Infrastructure Security Infrastructure Partitioning Partnership Network Connectivity Standards Network Level Access Control End User Plane Control Plane Management Plane 16 Physical Security Controls Policies Directory Services Areas to study Functional Area Compliance Monitoring Application Firewall Vulnerability Scanning Intrusion Detection – Personal Firewall Identity Mgmt Event Correlation Vulnerability Scanning Intrusion Detection – Network and Host 17 Reasoning Inventory and software update management. Used to generate patch compliance reports. Used to protect some eBusiness applications. Use to scan DMZ applications and provide some vulnerability assessment capabilities Block unwanted inbound and outbound ports along with detecting suspicious traffic. Provides access control to systems and applications Provides event correlation for across the various security tools. Provides automated network vulnerability assessment across servers, desktops, and infrastructure devices. Provides enterprise class intrusion detection. Areas to Study – Cntd. Functional Area Reasoning Certificate Mgmt Better integration with Windows products (I.E., Operating system and IIS). Authentication / Single Sign-On Authenticates users against AD and LDAP. Remote Access Mgmt Anti-Malware – Exchange Anti-Malware – Internet Gateway 18 The combination of all three components provides a comprehensive remote access solution. Industry leading anti-virus/malware solution for Microsoft Exchange servers. It leverages 3 industry leading virus scan engines in combination to scan all emails.. Enterprise class UNIX based virus protection system, that forms part of a 3 tiered approach to virus protection. e-Business Security Challenges • Protect corporate network resources against internal and external threats • Provide worldwide connectivity for mobile and remote employees and customers • Use the Internet to lower wide area data communication costs • Provide business partners with selective network access through a secure extranet • Guarantee secure network’s performance, reliability and availability • Define and enforce user-level security policies across the network • Immediately detect and respond to attacks and suspicious activity against the network • Securely and efficiently manage the network’s IP address infrastructure • Implement and open security solution that allows integration with other applications • Manage the total cost of ownership across the secure network 19 The Five Worst Security Mistakes End Users Make: 1) Opening unsolicited email attachments without verifying their source and checking their content first. 2) Failing to install security patches. 3) Installing screen savers or games without safety guarantees. 4) Not making and testing backups. 20 The Ten Worst Mistakes Information Technology People Make: 1) Connecting systems to the Internet before hardening them. (removing unnecessary devices and patching necessary ones). 2) Connecting test systems to the Internet with default accounts and passwords. 3) Failing to update systems when security vulnerabilities are found and patches or upgrades are available. 4) Using telnet and other unencrypted protocols for managing systems, routers, firewalls and PKI (Public Key Infrastructure). 5) Giving users passwords over the phone, or changing passwords in response to telephone or personal request when the requester is not authenticated. 6) Failing to maintain and test backups. 7) Running unnecessary services, especially ftpd, telnetd, finger, rpc, mail, rservices (some of these are Unix specific). 8) Implementing firewalls with rules that allow malicious or dangerous traffic - incoming or outgoing. 9) Failing to implement or update virus detection software. 10)Failing to educate users on that to look for and what to do when they see a potential security problem. 21 The Seven Worst Security Mistakes Senior Executives Make: 1) Assigning untrained people to maintain security and providing neither the training nor the time to make it possible to learn and do the job. 2) Failing to understand the relationship of information security to the business problem - they understand physical security but do not see the consequences of poor information security. 3) Failing to deal with the operational aspects of security: making a few fixes and then not allowing the follow through necessary to ensure that problems stay fixed. 4) Relying primarily on a firewall. 5) Failing to realize how much money their information and organizational reputations are worth. 6) Authorizing reactive, short term fixes so problems re-emerge rapidly. 7) Pretending the problem will go away if they ignore it. 22 Enterprise Security Architecture A comprehensive security framework leads to dysfunctional, disconnected, and/or ineffective security organizations. Consistently applied policies and standards across domains (inter- and extra-enterprise). Need for a centralized security content management system and intuitive user interface to content. Ability to enforce security policies, procedures, and standards. Awareness of good security hygiene. 23