meletis belsismanaging and enforcing information security

Managing and Enforcing Information SecurityManaging and Enforcing Information SecurityJune 2008June 2008

Belsis Meletis MPhil, MRes, BScCWNA, CWSP, Network+, C|EH, ISO27001LA

AgendaAgenda

• Information Security

• ISMS

• Authentication and Provisioning

• Monitoring and Compliance

• Data Protection

Information SecurityInformation Security

• Information Security is difficult to implement due to the following:• The cost of implementing a security system should not

exceed the value of the data to be secured.• Industries pay huge amount of money for industrial

espionage.• Users feel that security is going to take their freedom

away and so they often sabotage the security measures.

• Computer prices have fallen dramatically and the number of hackers have been multiplied.

• Security managers work under strict money and time schedule.

• Hackers often cooperate with known criminals.• Almost 80% of attacks come from Internal threats and

partners.• The number of technologies, standards and

methodologies exist today are enough to confuse even experts.


“In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process.…. ”

Bruce Schneier (Secrets and Lies, Wiley and Sons Inc.)


• Security contains a number of tools , processes and techniques.

• These in general cover three main requirements:– Confidentiality– Integrity– Availability

• Depending on the security requirements a system has, one can concentrate only on one of the previous or all of them.

• A new requirement enforced today is non-repudiation.

AgendaAgenda


• ISMS



• Data Protection

ISMSISMS

• Security should always start with the development of an ISMS system. • The Information Security Management System(ISMS) is

the part of the overall management system, based on business risk approach, to establish, implement, operate , monitor, review, maintain and improve information security (ISO 27001 Standard).

• The management system should include: • Organisational structure and Responsibilities• Policies, Procedures , Processes and Practises• Planning Activities and Resources

Information Security Management Program ImplementationInformation Security Management Program Implementation

Policy &

Standards

Phy

sica

l acc

ess

Rem

ote

Acc

ess

Inte

rnet

Pol

icy

App

l. S

ecur

ityP

olic

y

System Policy

TechnologyStandards

VP

N

Tok

ens

Fir

ewal

ls

ImplementationGuidelinesInstal lation and configuration

Operational Management

Corporate Policy

Operations

Hos

t-S

ec.

Con

tent

Sec

.

Proc

ess

Man

agem

en

t

ISO27001 AdvantagesISO27001 Advantages

• ISO 27001 is an International Standard giving requirements related to Information Security Management System.

• The advantages of an ISO27001 Certification :• Ensure confidentiality, integrity and availability of information to

maintain competitive edge, cash-flow, profitability and commercial image.

• Comply with legal, statutory, regulatory and contractual requirements.

• Improve corporate governance and assurance to stakeholders such as shareholders, clients, consumers and suppliers.

• Identify threats to assets, vulnerabilities, likelihood of occurrence and potential impact to appropriate allocate investment.

AgendaAgenda


• ISMS



• Data Protection

Authentication and ProvisioningAuthentication and Provisioning

• The management Headache Applications and Locations are added almost daily. Changes to headcounts have by

multiplied. The cost of IT Management has been increased (e.g. it is

estimated that the cost to reset a password in a medium size organisation is $20)

Maintain Security Standards compliance is necessary (i.e. ISO27001,SoX,PCI).

Many man-hours of management time spent approving resource requests


• The Security Headache User provisioning for all applications is time consuming 13%-15% of help desk phone calls involve password reset. Users use yellow stickers to write and remember the

different passwords. Long lag time between user termination & disablement of

IDs. Users have to access different applications and platforms

(i.e. HPUX, Linux, Windows2003) . Security Auditors require many different information. Authentication method may be different for each application

(e.g. Password Policies, Tokens, Idle Timeout)

User needs to manually sign

in to every application!

User

Mainframe Apps

Intranet

Web Apps

Identity Chaos Identity Chaos

Enterprise Directory

HRHRSystemSystem

InfraInfraApplicationApplication

LotusLotusNotes AppsNotes Apps

In-HouseIn-HouseApplicationApplication

COTSCOTSApplicationApplication

NOSNOS


•Authentication•Authorization•Identity Data




•Authorization•Identity Data

•Authentication




• Identity Management Systems allows individuals to use a user name, password or other personal identification to sign on to the enterprise applications• IDM Systems Offer

• Centralized management of all user identities and access rights. • Automated (de-)provisioning of accounts• Centralized access management for heterogeneous networks

(e.g. Web applications, Systems )• Strong and flexible password management policies• User Account Self Management• Identification/removal of inactive accounts• Full automated workflow approval path• Reset passwords (revalidate users)• Monitor all Identity related events

• IDM requires Roles and Processes to be clearly defined • IDM reduces the Organization Cost and increases Productivity

Identity ManagementIdentity Management




•Authorization•Identity Data

•Authentication



Iden

tity

Inte

grat

ion

Serv

erId

entit

y In

tegr

atio

n Se

rver

Enterprise Directory

HRHRSystemSystem

InfraInfraApplicationApplication

LotusLotusNotes AppsNotes Apps


COTSCOTSApplicationApplication

NOSNOS


• Single Sign On (SSO) allow users to log in to virtually any system using a single log on procedure,• Allows administrators to choose an authentication

method (e.g. Tokes, Passwords, Biometrics)• Seamless authentication for heterogeneous

environments.• Centrally provide Session Management • End-to-end audits of user activity across disparate

systems• Reduces frustrations from multiple passwords• Reduces the threats from the yellow stickers• Provide Workstation features like

• Station Lock• Proximity Detectors and RF Badges• Single Sing Off• Session Migration

• SSO Integrates with user provisioning solutions to further Increase productivity time.

User ID & User ID & PasswordPassword

TokenToken

SmartSmartCardCard

MS CAPI MS CAPI CertificateCertificate

BiometricsBiometrics

LDAPLDAP

RF BadgeRF Badge

ju9$7%%a&uju9$7%%a&u

r2d2q3

&%$@((^g%$@#&&%$@((^g%$@#&

dk4&4j7%w#psikep84m$sodk4&4j7%w#psikep84m$so

PKI PKI CertificateCertificate

encrypted encrypted passtickepasstickett

Sign-On Sign-On ServerServer

Application HostsApplication Hosts

NT/UNIXNT/UNIX

OS/390OS/390

NovellNovell

AS400AS400

Web ServersWeb Servers

INNOVA S.A.INNOVA S.A.

AgendaAgenda


• ISMS



• Data Protection

• Innova S.A

Monitoring and ComplianceMonitoring and Compliance

• What Do I Need To Do?– Businesses everywhere are attempting to cost effectively comply

with multiple external & internal mandates (e.g. ISO27001,SoX,PCI).

– Administrators have to defend their systems against new vulnerabilities.

– Security experts need to identify incidents.– Auditors need to see proof of due care that IT security policies are

sufficient, in place, and effective• How Do I Do It?

– Automatically test platforms for security compliance on a scheduled basis

– Regularly test systems for new vulnerabilities. – Enforce the regular analysis of log files to detect unauthorized

actions.

Vulnerability Assessment Tools Vulnerability Assessment Tools

• Regular tests ensure that systems are protected from new vulnerabilities.

• Vulnerability Assessment tools have databases with thousands of vulnerabilities.

• Frequent update of these tools are necessary. • Two types of VA tools

• Internet Based Services• Network Internal

• Some of these tools offer compliance scans with different standards i.e. PCI

• VA tools allows managers to schedule automated assessment jobs.

• Reports from these tools are used to patch vulnerable systems and/or develop strategic security plans.

• Reports can also be submitted to Security Auditors.

Policy CompliancePolicy Compliance

• Enterprises are finding that implementing new regulatory policies and procedures in an automated and efficient manner is very challenging.

• The effort of translating the policy into actual technical controls and triggers is complicated and cumbersome

• Policy Compliant platforms connect to corporate systems and test system configuration against pre specified security policies (i.e. size and type of passwords, Administrator access type)

• Policy Compliance platforms:

• Assist Enterprises to maintain configuration baseline over time.

• Maps industry-accepted frameworks, standards (i.e. ISO27001, PCI, SoX) and corporate policies to a set of technical controls and policies

• Provide assessment of heterogeneous systems (i.e. Unix, Windows).

• Provide risk-based reports and proposed remediation techniques.

• Improve Operational Cost and ensure policy compliance.

• Prove Compliance to internal and external Auditors

Monitoring and Analysis Monitoring and Analysis

• Enterprise IT Infrastructure elements provide a number of Audit/log records

• Logs grow large to be viewed using manual techniques• Log and audit data are usually written in the local platforms• Cross platform analysis of log data are almost impossible

• Monitoring tools collect records from different platforms.

• Collected logs can be correlated, analyzed and viewed in real time.

• Provide advance visualization techniques of the status of the Infrastructure

• Forensics analysis help respond to security incidents and identify malicious acts.

• Help Engineers in detecting and solving network problems.

• Assist in the Audit process by being able to produce proofs.

• Provides an "information warehouse" for corporate data that can be mined as a knowledge resource using built-in index and search technologies

AgendaAgenda


• ISMS


•Monitoring and Compliance

•Data Protection

Endpoint SecurityEndpoint Security

• Today Enterprise Infrastructures are not isolated• Sales employees use laptop computers and PDAs to connect to the

corporate networks. • Teleworking is a new trend to reduce corporate OpEx• Standby engineers use laptop to connect to the corporate networks almost

daily.• Threats to the endpoints can be easily provide a door for adversaries to access

the corporate network (e.g. Virus, Trojan Horses, Unpatched Systems).• Endpoint security software ensures that endpoints are compliant with the

corporate security Policy:

• Endpoint security provides central control over the endpoint devices used by employees and partners.

• Spec aliased endpoint clients can be installed on the enterprise Critical Infrastructure Servers.

• Host Intrusion Protection

• Antivirus

• Buffer Overflow Protection

• File/Disk Encryption

• Personal Firewall

• Application Control

• Host Integrity Checking

• Patch Management

Endpoint SecurityEndpoint Security

2 4

MobileUser

SSL VPNOn-Demand NAC

WirelessOn-Demand

and 802.1xNAC Mobile User or Guest

HomeUserPartneror Supplier

Web ApplicationOn-Demand NAC

WANRouter

In LineNAC

Ethernet802.1x NAC

EthernetDHCP NAC

Remote Office

EmbeddedWindows Device

Wired User

Wired UserIPSec VPNAPI NAC

Access ControlAccess Control

• Enterprises today based their business almost solely on the data stored in their IT Systems.

• Controlling access on these data is vital for the protection of the Enterprise.• Access Control platforms allow Administrators to centrally control and enforce

access on the Corporate data:• Enforce access accountability and segregation of duties• Centrally apply access control policies and rules to reduce administrative

cost and complexity• Enforce fine level of control on

• Files and Folders

• Processes • Privileged Programs• Network Connections

• Terminals

• Reduce cross-platform management overhead and meet internal and external audit requirement

• Access control tools required that a defined access control policy exist

Data LeakageData Leakage

• Data leakage tools provide finer level of control on the access restrictions allowed on the corporate data.

• Data leakage enforces the corporate access control policy by providing deep content inspection:

• Automated discovery of corporate confidential information stored on endpoints and servers.

• Network Scan to detect and stop confidential information transmitted using different types of applications and protocols e.g. IM, Emails, HTTP,FTP.

• Controls the distribution of information using USB Drives, CDROMS, Emails, and printouts at the point of use where information is accessed and stored.

• Display alerts for data access violation and develop Incident Response Workflows.

• Control data input /output from heterogeneous applications and databases.

• Provide a cost effective way to receive Standards Compliance for Legacy and Web Applications.

EMAIL & WEB UPLOADS

IM / FTP / P2P FILE TRANSFER

REMOVABLEMEDIA(CD, USB…)

HARDCOPY(Printers, PDF)

NETWORKRESOURCES

LEGACY APPS

ENTERPRISEAPPLICATIONS(Clipboard, Exports)

UNSTRUCTURED DATA& FILE SHARING(Copy, Move…)

INNOVA S.A.INNOVA S.A.

AgendaAgenda


• ISMS


•Monitoring and Compliance

•Data Protection

Questions ?