Meletis BelsisManaging and enforcing information security
-
Upload
meletis-belsis-mphilmresbsc -
Category
Internet
-
view
25 -
download
0
Transcript of Meletis BelsisManaging and enforcing information security
Managing and Enforcing Information SecurityManaging and Enforcing Information SecurityJune 2008June 2008
Belsis Meletis MPhil, MRes, BScCWNA, CWSP, Network+, C|EH, ISO27001LA
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
• Monitoring and Compliance
• Data Protection
Information SecurityInformation Security
• Information Security is difficult to implement due to the following:• The cost of implementing a security system should not
exceed the value of the data to be secured.• Industries pay huge amount of money for industrial
espionage.• Users feel that security is going to take their freedom
away and so they often sabotage the security measures.
• Computer prices have fallen dramatically and the number of hackers have been multiplied.
• Security managers work under strict money and time schedule.
• Hackers often cooperate with known criminals.• Almost 80% of attacks come from Internal threats and
partners.• The number of technologies, standards and
methodologies exist today are enough to confuse even experts.
Information SecurityInformation Security
“In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process.…. ”
Bruce Schneier (Secrets and Lies, Wiley and Sons Inc.)
Information SecurityInformation Security
• Security contains a number of tools , processes and techniques.
• These in general cover three main requirements:– Confidentiality– Integrity– Availability
• Depending on the security requirements a system has, one can concentrate only on one of the previous or all of them.
• A new requirement enforced today is non-repudiation.
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
• Monitoring and Compliance
• Data Protection
ISMSISMS
• Security should always start with the development of an ISMS system. • The Information Security Management System(ISMS) is
the part of the overall management system, based on business risk approach, to establish, implement, operate , monitor, review, maintain and improve information security (ISO 27001 Standard).
• The management system should include: • Organisational structure and Responsibilities• Policies, Procedures , Processes and Practises• Planning Activities and Resources
Information Security Management Program ImplementationInformation Security Management Program Implementation
Policy &
Standards
Phy
sica
l acc
ess
Rem
ote
Acc
ess
Inte
rnet
Pol
icy
App
l. S
ecur
ityP
olic
y
System Policy
TechnologyStandards
VP
N
Tok
ens
Fir
ewal
ls
ImplementationGuidelinesInstal lation and configuration
Operational Management
Corporate Policy
Operations
Hos
t-S
ec.
Con
tent
Sec
.
Proc
ess
Man
agem
en
t
ISO27001 AdvantagesISO27001 Advantages
• ISO 27001 is an International Standard giving requirements related to Information Security Management System.
• The advantages of an ISO27001 Certification :• Ensure confidentiality, integrity and availability of information to
maintain competitive edge, cash-flow, profitability and commercial image.
• Comply with legal, statutory, regulatory and contractual requirements.
• Improve corporate governance and assurance to stakeholders such as shareholders, clients, consumers and suppliers.
• Identify threats to assets, vulnerabilities, likelihood of occurrence and potential impact to appropriate allocate investment.
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
• Monitoring and Compliance
• Data Protection
Authentication and ProvisioningAuthentication and Provisioning
• The management Headache Applications and Locations are added almost daily. Changes to headcounts have by
multiplied. The cost of IT Management has been increased (e.g. it is
estimated that the cost to reset a password in a medium size organisation is $20)
Maintain Security Standards compliance is necessary (i.e. ISO27001,SoX,PCI).
Many man-hours of management time spent approving resource requests
Authentication and ProvisioningAuthentication and Provisioning
• The Security Headache User provisioning for all applications is time consuming 13%-15% of help desk phone calls involve password reset. Users use yellow stickers to write and remember the
different passwords. Long lag time between user termination & disablement of
IDs. Users have to access different applications and platforms
(i.e. HPUX, Linux, Windows2003) . Security Auditors require many different information. Authentication method may be different for each application
(e.g. Password Policies, Tokens, Idle Timeout)
User needs to manually sign
in to every application!
User
Mainframe Apps
Intranet
Web Apps
Identity Chaos Identity Chaos
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
NOSNOS
In-HouseIn-HouseApplicationApplication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Authentication and ProvisioningAuthentication and Provisioning
• Identity Management Systems allows individuals to use a user name, password or other personal identification to sign on to the enterprise applications• IDM Systems Offer
• Centralized management of all user identities and access rights. • Automated (de-)provisioning of accounts• Centralized access management for heterogeneous networks
(e.g. Web applications, Systems )• Strong and flexible password management policies• User Account Self Management• Identification/removal of inactive accounts• Full automated workflow approval path• Reset passwords (revalidate users)• Monitor all Identity related events
• IDM requires Roles and Processes to be clearly defined • IDM reduces the Organization Cost and increases Productivity
Identity ManagementIdentity Management
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
•Authorization•Identity Data
•Authentication
•Authentication•Authorization•Identity Data
•Authentication•Authorization•Identity Data
Iden
tity
Inte
grat
ion
Serv
erId
entit
y In
tegr
atio
n Se
rver
Enterprise Directory
HRHRSystemSystem
InfraInfraApplicationApplication
LotusLotusNotes AppsNotes Apps
In-HouseIn-HouseApplicationApplication
COTSCOTSApplicationApplication
NOSNOS
Authentication and ProvisioningAuthentication and Provisioning
• Single Sign On (SSO) allow users to log in to virtually any system using a single log on procedure,• Allows administrators to choose an authentication
method (e.g. Tokes, Passwords, Biometrics)• Seamless authentication for heterogeneous
environments.• Centrally provide Session Management • End-to-end audits of user activity across disparate
systems• Reduces frustrations from multiple passwords• Reduces the threats from the yellow stickers• Provide Workstation features like
• Station Lock• Proximity Detectors and RF Badges• Single Sing Off• Session Migration
• SSO Integrates with user provisioning solutions to further Increase productivity time.
User ID & User ID & PasswordPassword
TokenToken
SmartSmartCardCard
MS CAPI MS CAPI CertificateCertificate
BiometricsBiometrics
LDAPLDAP
RF BadgeRF Badge
ju9$7%%a&uju9$7%%a&u
r2d2q3
&%$@((^g%$@#&&%$@((^g%$@#&
dk4&4j7%w#psikep84m$sodk4&4j7%w#psikep84m$so
PKI PKI CertificateCertificate
encrypted encrypted passtickepasstickett
Sign-On Sign-On ServerServer
Application HostsApplication Hosts
NT/UNIXNT/UNIX
OS/390OS/390
NovellNovell
AS400AS400
Web ServersWeb Servers
INNOVA S.A.INNOVA S.A.
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
• Monitoring and Compliance
• Data Protection
• Innova S.A
Monitoring and ComplianceMonitoring and Compliance
• What Do I Need To Do?– Businesses everywhere are attempting to cost effectively comply
with multiple external & internal mandates (e.g. ISO27001,SoX,PCI).
– Administrators have to defend their systems against new vulnerabilities.
– Security experts need to identify incidents.– Auditors need to see proof of due care that IT security policies are
sufficient, in place, and effective• How Do I Do It?
– Automatically test platforms for security compliance on a scheduled basis
– Regularly test systems for new vulnerabilities. – Enforce the regular analysis of log files to detect unauthorized
actions.
Vulnerability Assessment Tools Vulnerability Assessment Tools
• Regular tests ensure that systems are protected from new vulnerabilities.
• Vulnerability Assessment tools have databases with thousands of vulnerabilities.
• Frequent update of these tools are necessary. • Two types of VA tools
• Internet Based Services• Network Internal
• Some of these tools offer compliance scans with different standards i.e. PCI
• VA tools allows managers to schedule automated assessment jobs.
• Reports from these tools are used to patch vulnerable systems and/or develop strategic security plans.
• Reports can also be submitted to Security Auditors.
Policy CompliancePolicy Compliance
• Enterprises are finding that implementing new regulatory policies and procedures in an automated and efficient manner is very challenging.
• The effort of translating the policy into actual technical controls and triggers is complicated and cumbersome
• Policy Compliant platforms connect to corporate systems and test system configuration against pre specified security policies (i.e. size and type of passwords, Administrator access type)
• Policy Compliance platforms:
• Assist Enterprises to maintain configuration baseline over time.
• Maps industry-accepted frameworks, standards (i.e. ISO27001, PCI, SoX) and corporate policies to a set of technical controls and policies
• Provide assessment of heterogeneous systems (i.e. Unix, Windows).
• Provide risk-based reports and proposed remediation techniques.
• Improve Operational Cost and ensure policy compliance.
• Prove Compliance to internal and external Auditors
Monitoring and Analysis Monitoring and Analysis
• Enterprise IT Infrastructure elements provide a number of Audit/log records
• Logs grow large to be viewed using manual techniques• Log and audit data are usually written in the local platforms• Cross platform analysis of log data are almost impossible
• Monitoring tools collect records from different platforms.
• Collected logs can be correlated, analyzed and viewed in real time.
• Provide advance visualization techniques of the status of the Infrastructure
• Forensics analysis help respond to security incidents and identify malicious acts.
• Help Engineers in detecting and solving network problems.
• Assist in the Audit process by being able to produce proofs.
• Provides an "information warehouse" for corporate data that can be mined as a knowledge resource using built-in index and search technologies
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
•Monitoring and Compliance
•Data Protection
Endpoint SecurityEndpoint Security
• Today Enterprise Infrastructures are not isolated• Sales employees use laptop computers and PDAs to connect to the
corporate networks. • Teleworking is a new trend to reduce corporate OpEx• Standby engineers use laptop to connect to the corporate networks almost
daily.• Threats to the endpoints can be easily provide a door for adversaries to access
the corporate network (e.g. Virus, Trojan Horses, Unpatched Systems).• Endpoint security software ensures that endpoints are compliant with the
corporate security Policy:
• Endpoint security provides central control over the endpoint devices used by employees and partners.
• Spec aliased endpoint clients can be installed on the enterprise Critical Infrastructure Servers.
• Host Intrusion Protection
• Antivirus
• Buffer Overflow Protection
• File/Disk Encryption
• Personal Firewall
• Application Control
• Host Integrity Checking
• Patch Management
Endpoint SecurityEndpoint Security
2 4
MobileUser
SSL VPNOn-Demand NAC
WirelessOn-Demand
and 802.1xNAC Mobile User or Guest
HomeUserPartneror Supplier
Web ApplicationOn-Demand NAC
WANRouter
In LineNAC
Ethernet802.1x NAC
EthernetDHCP NAC
Remote Office
EmbeddedWindows Device
Wired User
Wired UserIPSec VPNAPI NAC
Access ControlAccess Control
• Enterprises today based their business almost solely on the data stored in their IT Systems.
• Controlling access on these data is vital for the protection of the Enterprise.• Access Control platforms allow Administrators to centrally control and enforce
access on the Corporate data:• Enforce access accountability and segregation of duties• Centrally apply access control policies and rules to reduce administrative
cost and complexity• Enforce fine level of control on
• Files and Folders
• Processes • Privileged Programs• Network Connections
• Terminals
• Reduce cross-platform management overhead and meet internal and external audit requirement
• Access control tools required that a defined access control policy exist
Data LeakageData Leakage
• Data leakage tools provide finer level of control on the access restrictions allowed on the corporate data.
• Data leakage enforces the corporate access control policy by providing deep content inspection:
• Automated discovery of corporate confidential information stored on endpoints and servers.
• Network Scan to detect and stop confidential information transmitted using different types of applications and protocols e.g. IM, Emails, HTTP,FTP.
• Controls the distribution of information using USB Drives, CDROMS, Emails, and printouts at the point of use where information is accessed and stored.
• Display alerts for data access violation and develop Incident Response Workflows.
• Control data input /output from heterogeneous applications and databases.
• Provide a cost effective way to receive Standards Compliance for Legacy and Web Applications.
EMAIL & WEB UPLOADS
IM / FTP / P2P FILE TRANSFER
REMOVABLEMEDIA(CD, USB…)
HARDCOPY(Printers, PDF)
NETWORKRESOURCES
LEGACY APPS
ENTERPRISEAPPLICATIONS(Clipboard, Exports)
UNSTRUCTURED DATA& FILE SHARING(Copy, Move…)
INNOVA S.A.INNOVA S.A.
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
•Monitoring and Compliance
•Data Protection